Install-instructions for Linux: Add a way to verify fingerprint of keys.asc #4249
Comments
|
This is very similar to a general 'linux install improvement' issue currently open: #3714 |
It's not a fingerprint that's added to apt-keychain, it's a public key. This makes apt able to verify the metadata of the repository, which specifies the checksums of the packages downloaded from If you downloaded a .deb file seperately ("the Windows .exe way"), it would need to be verified, and that's the same approach that the Tor Browser article takes. There is also a signature inside the .deb files, and I think you can force dpkg to add a verification of this, such that you guard yourself from being tempted to install unsigned or untrusted .deb files with To know more, check out this article which explains both apt and dpkg (repository and package) approaches to verification.
The installation instructions have to be improved as with #3714 -- but I am not sure if Signal will benefit from venturing down a road of encouraging to download .deb files and voluntarily check their signatures. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Dear developers,
It would be very nice, if you add some kind of verification-method for the fingerprint of the keys.asc file found at https://updates.signal.org/desktop/apt/keys.asc
The current install-method for Linux works superb and out-of-the-box, but I expect many security-conscious users would prefer at least to be able to verify the fingerprint before adding it to their apt-keychain. Right now I don't see any way of verifying the key for normal users.
(for inspiration, this is how Tor Browser advice their users to verify their key: https://support.torproject.org/tbb/how-to-verify-signature/ )
Best regards,
Johay
The text was updated successfully, but these errors were encountered: