Bad PGP signature

polog · June 22, 2017, 5:19am

Hello All !

I’m new to NextCloud, and not a very experienced Linux admin, so thank you for bearing with me.

My install of NextCloud 12.0.0.0 on a VPS running Ubuntu 16.04 went smoothly, largely owing to the official instructions posted here.

However, upon checking the PGPsignature of the archive downloaded from here, GPG returns the following message :

gpg: Signature made lun. 22 mai 2017 10:33:42 CEST using RSA key ID A724937A
gpg: BAD signature from "Nextcloud Security <security@nextcloud.com>"

Should I be concerned over this message? Have others encountered this issue?

EDIT

My bad, I just noticed I was checking the authenticity of the zip archive against the signature of the tar.bz2 archive. I am now getting a mere warning (below). Sorry for the disturbance.

gpg: Good signature from "Nextcloud Security <security@nextcloud.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A

enoch85 · June 22, 2017, 9:17am

CC @LukasReschke I’ve also been wondering about this actually.

ir299 · June 30, 2017, 5:33pm

Yes, just noticed the same today. Anxiety-provoking…

enoch85 · June 10, 2019, 7:57pm

Anyone have an answer to this?

tflidd · June 10, 2019, 8:52pm

The signature itself is valid, the problem is the key. You should go to a gpg-keysigning-party and meet someone from Nextcloud, once you are sure to trust the Nextcloud key, there is no problem. In gpg there is no central infrastructure for trust and/or verification of trust.