Bug 8421 - Instructions to verify RPM signatures misses good security practices
Summary: Instructions to verify RPM signatures misses good security practices
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Documentation (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.18.0
Assignee: Bugzilla mail exporter
URL:
Keywords: emeer_tester, prosaic
Depends on:
Blocks:
 
Reported: 2024-09-06 16:54 CEST by William Sjöblom
Modified: 2024-10-29 09:18 CET (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description William Sjöblom cendio 2024-09-06 16:54:40 CEST 
- https://www.cendio.com/resources/docs/tag/install_install.html#verifying-the-server-rpm
- https://www.cendio.com/resources/docs/tag/client_linux.html#verifying-the-client-rpms

Right now, these sections *assumes* the user is aware of good security practices. An example of this could for example be downloading the public key at different times from different places and comparing it.

As it stands right now, reading these sections makes it sound like verifying the RPMs using the public key in the same ZIP is a valid way to ensure authenticity of the RPMs.

The fact that we do not mention such practices is problematic for two reasons:

1. New users may get a false sense of trust by missing out on these security practices. 

2. Experienced users that know about these practices may loose confidence in Cendios general security practices for failing to mention it.
Comment 2 William Sjöblom cendio 2024-10-08 12:59:48 CEST 
We now publish the public key and associated fingerprint on our web page. In the TAG we also mention the use of key servers for fetching the public key.

Marking as resolved.
Comment 4 Emelie cendio 2024-10-29 09:18:29 CET 
MR 21 looks good to me!
Note You need to log in before you can comment on or make changes to this bug.