Releases on GitHub (e.g. Releases · nextcloud/desktop · GitHub) offer signature files, but there is no mention of where to find the signing key.
It would be nice to mention this important information. Also the public key
28806A878AE423A28372792ED75899B9A724937A used for signing the releases is not verified on https://keys.openpgp.org/
After some searching I found https://nextcloud.com/security/ which offers the public key. But to take friction out of the process of finding that important information both suggestions above should be fairly easy to do and simplify the process for users.
Ok, at least you can find it. For the repository, it would be best to have it in the release section but I don’t know if that is possible. It would be the best to raise this issue there:
Can do, but could you elaborate how you think this is an issue for nextcloud desktop client as it affects all releases on GitHub (server, iOS, Android, desktop, …).
the mobile clients are often downloaded through an app store, so you can’t easily verify yourself.
But it would apply as well for the server repository. For the Nextcloud apps, it should be done through the Nextcloud itself (I suppose). Or start in the server repo, and then they can check out, where it might apply as well. In the end, it could be added everywhere since it would apply for developers.
I am just an enduser trying to verify what I am installing. Any chance at least the public key could be uploaded to keys.openpgp.org? It is still not present and upload and verification should be trivial.
Public key still not on keys.openpgp.org so far
Yes there is:
and a pull request for the homepage:
Thanks for taking action in regards to this problem. Can you share the email address used in that key?
I think, the email address has not yet been verified on keys.openpgp.org and without that the public key is not usable. Can you please double check?
I haven’t uploaded it, I don’t know that. I just could get the key manually with the command that was in the pull request.
Uploading is straight forward. At which step are you running into trouble? https://keys.openpgp.org/upload and then upload the public key. Then verify the email address.
Yes, but I didn’t put it there and I’m not attached to the Nextcloud company, just some random guy in the community. So I could upload and verify with my personal mail address, but so can you!
So how can someone be reached at nextcloud? Are they reading this forum? How to move forward? Create an issue?
We have linked the corresponding issue on the website bug tracker.