Bug 8421

Summary: Instructions to verify RPM signatures misses good security practices
Product: ThinLinc Reporter: William Sjöblom <wilsj>
Component: DocumentationAssignee: Bugzilla mail exporter <bugzilla-qa>
Status: CLOSED FIXED    
Severity: Normal CC: emeer
Priority: P2 Keywords: emeer_tester, prosaic
Version: trunk   
Target Milestone: 4.18.0   
Hardware: PC   
OS: Unknown   
See Also: https://bugzilla.cendio.com/show_bug.cgi?id=8420
https://bugzilla.cendio.com/show_bug.cgi?id=8417
Acceptance Criteria:

Description William Sjöblom cendio 2024-09-06 16:54:40 CEST
- https://www.cendio.com/resources/docs/tag/install_install.html#verifying-the-server-rpm
- https://www.cendio.com/resources/docs/tag/client_linux.html#verifying-the-client-rpms

Right now, these sections *assumes* the user is aware of good security practices. An example of this could for example be downloading the public key at different times from different places and comparing it.

As it stands right now, reading these sections makes it sound like verifying the RPMs using the public key in the same ZIP is a valid way to ensure authenticity of the RPMs.

The fact that we do not mention such practices is problematic for two reasons:

1. New users may get a false sense of trust by missing out on these security practices. 

2. Experienced users that know about these practices may loose confidence in Cendios general security practices for failing to mention it.
Comment 2 William Sjöblom cendio 2024-10-08 12:59:48 CEST
We now publish the public key and associated fingerprint on our web page. In the TAG we also mention the use of key servers for fetching the public key.

Marking as resolved.
Comment 4 Emelie cendio 2024-10-29 09:18:29 CET
MR 21 looks good to me!