post by polog on Jun 22, 2017

polog
Jun 2017

Hello All !

I’m new to NextCloud, and not a very experienced Linux admin, so thank you for bearing with me.

My install of NextCloud 12.0.0.0 on a VPS running Ubuntu 16.04 went smoothly, largely owing to the official instructions posted here.

However, upon checking the PGPsignature of the archive downloaded from here, GPG returns the following message :

gpg: Signature made lun. 22 mai 2017 10:33:42 CEST using RSA key ID A724937A
gpg: BAD signature from "Nextcloud Security <security@nextcloud.com>"

Should I be concerned over this message? Have others encountered this issue?

EDIT

My bad, I just noticed I was checking the authenticity of the zip archive against the signature of the tar.bz2 archive. I am now getting a mere warning (below). Sorry for the disturbance.

gpg: Good signature from "Nextcloud Security <security@nextcloud.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A

post by enoch85 on Jun 22, 2017

8 days later

post by ir299 on Jul 1, 2017

2 years later

post by enoch85 on Jun 11, 2019

post by tflidd on Jun 11, 2019

tflidd Community leader
Jun 2019

The signature itself is valid, the problem is the key. You should go to a gpg-keysigning-party and meet someone from Nextcloud, once you are sure to trust the Nextcloud key, there is no problem. In gpg there is no central infrastructure for trust and/or verification of trust.

5 years later

Closed on Sep 24, 2024

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

3 months later

Archived on Dec 9, 2024


Want to read more? Browse other topics in ℹ️ Support or view latest topics.

Powered by Discourse