It would be nice to mention this important information. Also the public key 28806A878AE423A28372792ED75899B9A724937A used for signing the releases is not verified on https://keys.openpgp.org/
After some searching I found https://nextcloud.com/security/ which offers the public key. But to take friction out of the process of finding that important information both suggestions above should be fairly easy to do and simplify the process for users.
Ok, at least you can find it. For the repository, it would be best to have it in the release section but I don’t know if that is possible. It would be the best to raise this issue there:
Can do, but could you elaborate how you think this is an issue for nextcloud desktop client as it affects all releases on GitHub (server, iOS, Android, desktop, …).
the mobile clients are often downloaded through an app store, so you can’t easily verify yourself.
But it would apply as well for the server repository. For the Nextcloud apps, it should be done through the Nextcloud itself (I suppose). Or start in the server repo, and then they can check out, where it might apply as well. In the end, it could be added everywhere since it would apply for developers.
I am just an enduser trying to verify what I am installing. Any chance at least the public key could be uploaded to keys.openpgp.org? It is still not present and upload and verification should be trivial.
Uploading is straight forward. At which step are you running into trouble? keys.openpgp.org and then upload the public key. Then verify the email address.
Yes, but I didn’t put it there and I’m not attached to the Nextcloud company, just some random guy in the community. So I could upload and verify with my personal mail address, but so can you!