Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

list steps to verify public pgp key used for signing for apt on https://riot.im/desktop.html #6824

Closed
ghost opened this issue May 30, 2018 · 4 comments
Labels
P1 Security T-Defect T-Task Tasks for the team like planning

Comments

@ghost
Copy link

ghost commented May 30, 2018

Description

Over on https://riot.im/desktop.html it says to download and enable the public signing key with curl -L https://riot.im/packages/debian/repo-key.asc | sudo apt-key add - to install riot on Ubuntu.

I took a look at man 8 apt-key and found the following passage:
"It is critical that keys added manually via apt-key are verified to belong to the owner of the repositories they claim to be for otherwise the apt-secure(8) infrastructure is completely undermined."

It seems critical that this need to somehow verify the downloaded public key isn't addressed on that site at all.

It is my opinion that the need to verify should be addressed on https://riot.im/desktop.html and easy to follow step-by-step instructions should be available there, or at least be referenced and linked to there.

These instructions could be about how one finds a chain of trusted signed PGP keys to the downloaded public key and verifies that, or they could be something as simple as posting the fingerprint on https://riot.im/desktop.html and simple instructions on how to verify the fingerprint before enabling it for use with apt.

I realize that this might still a security vulnerability, because one might be served a version of https://riot.im/desktop.html that has been maliciously modified to show a different fingerprint, but https should help prevent that, and this seems better than enabling the downloaded key for apt signing without any verification whatsoever.

@lampholder lampholder added T-Defect T-Task Tasks for the team like planning P1 Security labels May 30, 2018
@uhoreg
Copy link
Member

uhoreg commented Jul 10, 2018

After doing an in-person verification with the Riot repository uploaders, I've signed the repository key with my own key, which is in the Debian keyring, and uploaded it to sks-keyservers.net, so the repository key can be verified in that way. I'm not sure what's the best way to write up instructions for how to do the verification.

@dbkr
Copy link
Member

dbkr commented Aug 3, 2021

The instructions no longer say this & use a specific key for the repo - seems this is no longer relevant?

@SimonBrandner
Copy link
Contributor

Yeah and the author is a ghost, so I think we can close this. Shout if you disagree

@turt2live
Copy link
Member

(being a ghost doesn't make the issue invalid, but agreed that this issue has served its useful purpose)

BBaoVanC added a commit to boba-best/element.boba.best that referenced this issue Oct 11, 2021
* Decrease profile button touch target ([\element-hq#6900](matrix-org/matrix-react-sdk#6900)). Contributed by [ColonisationCaptain](https://github.com/ColonisationCaptain).
* Don't let click events propagate out of context menus ([\element-hq#6892](matrix-org/matrix-react-sdk#6892)).
* Allow closing Dropdown via its chevron ([\element-hq#6885](matrix-org/matrix-react-sdk#6885)). Fixes element-hq#19030 and element-hq#19030.
* Improve AUX panel behaviour ([\element-hq#6699](matrix-org/matrix-react-sdk#6699)). Fixes element-hq#18787 and element-hq#18787. Contributed by [SimonBrandner](https://github.com/SimonBrandner).
* A nicer opening animation for the Image View ([\#6454](matrix-org/matrix-react-sdk#6454)). Fixes element-hq#18186 and element-hq#18186. Contributed by [SimonBrandner](https://github.com/SimonBrandner).
* [Release] Fix space hierarchy pagination ([\element-hq#6910](matrix-org/matrix-react-sdk#6910)).
* Fix leaving space via other client leaving you in undefined-land ([\element-hq#6891](matrix-org/matrix-react-sdk#6891)). Fixes element-hq#18455 and element-hq#18455.
* Handle newer voice message encrypted event format for chat export ([\element-hq#6893](matrix-org/matrix-react-sdk#6893)). Contributed by [jaiwanth-v](https://github.com/jaiwanth-v).
* Fix pagination when filtering space hierarchy ([\element-hq#6876](matrix-org/matrix-react-sdk#6876)). Fixes element-hq#19235 and element-hq#19235.
* Fix spaces null-guard breaking the dispatcher settings watching ([\element-hq#6886](matrix-org/matrix-react-sdk#6886)). Fixes element-hq#19223 and element-hq#19223.
* Fix space children without specific `order` being sorted after those with one ([\element-hq#6878](matrix-org/matrix-react-sdk#6878)). Fixes element-hq#19192 and element-hq#19192.
* Ensure that sub-spaces aren't considered for notification badges ([\element-hq#6881](matrix-org/matrix-react-sdk#6881)). Fixes element-hq#18975 and element-hq#18975.
* Fix timeline autoscroll with non-standard DPI settings. ([\element-hq#6880](matrix-org/matrix-react-sdk#6880)). Fixes element-hq#18984 and element-hq#18984.
* Pluck out JoinRuleSettings styles so they apply in space settings too ([\element-hq#6879](matrix-org/matrix-react-sdk#6879)). Fixes element-hq#19164 and element-hq#19164.
* Null guard around the matrixClient in SpaceStore ([\element-hq#6874](matrix-org/matrix-react-sdk#6874)).
* Fix issue (https ([\element-hq#6871](matrix-org/matrix-react-sdk#6871)). Fixes element-hq#19138 and element-hq#19138. Contributed by [psrpinto](https://github.com/psrpinto).
* Fix pills being cut off in message bubble layout ([\element-hq#6865](matrix-org/matrix-react-sdk#6865)). Fixes element-hq#18627 and element-hq#18627. Contributed by [robintown](https://github.com/robintown).
* Fix space admin check false positive on multiple admins ([\element-hq#6824](matrix-org/matrix-react-sdk#6824)).
* Fix the User View ([\element-hq#6860](matrix-org/matrix-react-sdk#6860)). Fixes element-hq#19158 and element-hq#19158.
* Fix spacing for message composer buttons ([\element-hq#6852](matrix-org/matrix-react-sdk#6852)). Fixes element-hq#18999 and element-hq#18999.
* Always show root event of a thread in room's timeline ([\element-hq#6842](matrix-org/matrix-react-sdk#6842)). Fixes element-hq#19016 and element-hq#19016.
williamkray added a commit to williamkray/element-web that referenced this issue Nov 9, 2021
* Decrease profile button touch target ([\element-hq#6900](matrix-org/matrix-react-sdk#6900)). Contributed by [ColonisationCaptain](https://github.com/ColonisationCaptain).
* Don't let click events propagate out of context menus ([\element-hq#6892](matrix-org/matrix-react-sdk#6892)).
* Allow closing Dropdown via its chevron ([\element-hq#6885](matrix-org/matrix-react-sdk#6885)). Fixes element-hq#19030 and element-hq#19030.
* Improve AUX panel behaviour ([\element-hq#6699](matrix-org/matrix-react-sdk#6699)). Fixes element-hq#18787 and element-hq#18787. Contributed by [SimonBrandner](https://github.com/SimonBrandner).
* A nicer opening animation for the Image View ([\#6454](matrix-org/matrix-react-sdk#6454)). Fixes element-hq#18186 and element-hq#18186. Contributed by [SimonBrandner](https://github.com/SimonBrandner).
* [Release] Fix space hierarchy pagination ([\element-hq#6910](matrix-org/matrix-react-sdk#6910)).
* Fix leaving space via other client leaving you in undefined-land ([\element-hq#6891](matrix-org/matrix-react-sdk#6891)). Fixes element-hq#18455 and element-hq#18455.
* Handle newer voice message encrypted event format for chat export ([\element-hq#6893](matrix-org/matrix-react-sdk#6893)). Contributed by [jaiwanth-v](https://github.com/jaiwanth-v).
* Fix pagination when filtering space hierarchy ([\element-hq#6876](matrix-org/matrix-react-sdk#6876)). Fixes element-hq#19235 and element-hq#19235.
* Fix spaces null-guard breaking the dispatcher settings watching ([\element-hq#6886](matrix-org/matrix-react-sdk#6886)). Fixes element-hq#19223 and element-hq#19223.
* Fix space children without specific `order` being sorted after those with one ([\element-hq#6878](matrix-org/matrix-react-sdk#6878)). Fixes element-hq#19192 and element-hq#19192.
* Ensure that sub-spaces aren't considered for notification badges ([\element-hq#6881](matrix-org/matrix-react-sdk#6881)). Fixes element-hq#18975 and element-hq#18975.
* Fix timeline autoscroll with non-standard DPI settings. ([\element-hq#6880](matrix-org/matrix-react-sdk#6880)). Fixes element-hq#18984 and element-hq#18984.
* Pluck out JoinRuleSettings styles so they apply in space settings too ([\element-hq#6879](matrix-org/matrix-react-sdk#6879)). Fixes element-hq#19164 and element-hq#19164.
* Null guard around the matrixClient in SpaceStore ([\element-hq#6874](matrix-org/matrix-react-sdk#6874)).
* Fix issue (https ([\element-hq#6871](matrix-org/matrix-react-sdk#6871)). Fixes element-hq#19138 and element-hq#19138. Contributed by [psrpinto](https://github.com/psrpinto).
* Fix pills being cut off in message bubble layout ([\element-hq#6865](matrix-org/matrix-react-sdk#6865)). Fixes element-hq#18627 and element-hq#18627. Contributed by [robintown](https://github.com/robintown).
* Fix space admin check false positive on multiple admins ([\element-hq#6824](matrix-org/matrix-react-sdk#6824)).
* Fix the User View ([\element-hq#6860](matrix-org/matrix-react-sdk#6860)). Fixes element-hq#19158 and element-hq#19158.
* Fix spacing for message composer buttons ([\element-hq#6852](matrix-org/matrix-react-sdk#6852)). Fixes element-hq#18999 and element-hq#18999.
* Always show root event of a thread in room's timeline ([\element-hq#6842](matrix-org/matrix-react-sdk#6842)). Fixes element-hq#19016 and element-hq#19016.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
P1 Security T-Defect T-Task Tasks for the team like planning
Projects
None yet
Development

No branches or pull requests

5 participants