Hi,

Utter nextcloud n00b.

I followed the instructions as below.

1. Download the [.tar.bz2] or [.zip] archive.

Done

2. Check package integrity using MD5 ([.tar.bz2] / [.zip] or SHA256 ([.tar.bz2] / [.zip])

$ curl download.nextcloud.com/server/releases/nextcloud-23.0.0.zip.sha256
aa296b623b94f5bac65da18468c5f97918003743046a0de097aaea796198c281 nextcloud-23.0.0.zip

Done

3. Verify the authenticity via PGP ([.tar.bz2 ]/ [.zip]). The Nextcloud GPG key [is here]. You can also grab the keys by issueing this command:
   gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A

Ah. Problem:

gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A
gpg: keyserver receive failed: No name

After a bit of googling, I found that ha.pool.sks-keyservers.net is deprecated, and I should use different key servers. I did

$ gpg --keyserver keys.openpgp.org --recv-keys 28806A878AE423A28372792ED75899B9A724937A
gpg: key D75899B9A724937A: no user ID
gpg: Total number processed: 1

How does that tell me the package is correct?

gpg --verify <installation_file>.asc should help you out to check the signature with the public key.

<installation_file>.asc is just a textfile that contains the signature.

Now, the question is rather if you have the right key. The website (https://nextcloud.com/security/) shows the ID and fingerprint:

Key ID: A724937A
Fingerprint: 2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A

you have downloaded the same. It’s not cool that there is no user id.

Cool, thanks, it works with mit.edu server:

gpg --keyserver pgp.mit.edu --recv-keys 28806A878AE423A28372792ED75899B9A724937A

And then:

gpg --verify Nextcloud-3.4.2-x86_64.AppImage.asc