Please update the installation docs: "gpg: keyserver receive failed: No name"

Hi,

Utter nextcloud n00b.

I followed the instructions as below.

  1. Download the [.tar.bz2] or [.zip] archive.

Done

  1. Check package integrity using MD5 ([.tar.bz2] / [.zip] or SHA256 ([.tar.bz2] / [.zip])

$ curl download.nextcloud.com/server/releases/nextcloud-23.0.0.zip.sha256
aa296b623b94f5bac65da18468c5f97918003743046a0de097aaea796198c281 nextcloud-23.0.0.zip

Done

  1. Verify the authenticity via PGP ([.tar.bz2 ]/ [.zip]). The Nextcloud GPG key [is here]. You can also grab the keys by issueing this command:
    gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A

Ah. Problem:

gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A
gpg: keyserver receive failed: No name

After a bit of googling, I found that ha.pool.sks-keyservers.net is deprecated, and I should use different key servers. I did

$ gpg --keyserver keys.openpgp.org --recv-keys 28806A878AE423A28372792ED75899B9A724937A
gpg: key D75899B9A724937A: no user ID
gpg: Total number processed: 1

How does that tell me the package is correct?

2 Likes

gpg --verify <installation_file>.asc should help you out to check the signature with the public key.

<installation_file>.asc is just a textfile that contains the signature.

Now, the question is rather if you have the right key. The website (https://nextcloud.com/security/) shows the ID and fingerprint:

Key ID: A724937A
Fingerprint: 2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A

you have downloaded the same. It’s not cool that there is no user id.

1 Like

Cool, thanks, it works with mit.edu server:

gpg --keyserver pgp.mit.edu --recv-keys 28806A878AE423A28372792ED75899B9A724937A

And then:

gpg --verify Nextcloud-3.4.2-x86_64.AppImage.asc

And maybe you could ask someone like Bruce Schneier, or some additional publicly-searchable security mavens to sign the key, too? It would feel much less like “whistling past the graveyard” to be verifying the authenticity of a new piece of software with a key I’ve never used before.

Well, you can get the key from a key server. And the website and download page are independent and ideally not compromised at the same time.

For the update it is probably more interesting, if someone manages to compromise the download server and for a new version many setups get the compromised version, that would be really bad.