list steps to verify public pgp key used for signing for apt on https://riot.im/desktop.html #6824
Description
Description
Over on https://riot.im/desktop.html it says to download and enable the public signing key with curl -L https://riot.im/packages/debian/repo-key.asc | sudo apt-key add - to install riot on Ubuntu.
I took a look at man 8 apt-key and found the following passage:
"It is critical that keys added manually via apt-key are verified to belong to the owner of the repositories they claim to be for otherwise the apt-secure(8) infrastructure is completely undermined."
It seems critical that this need to somehow verify the downloaded public key isn't addressed on that site at all.
It is my opinion that the need to verify should be addressed on https://riot.im/desktop.html and easy to follow step-by-step instructions should be available there, or at least be referenced and linked to there.
These instructions could be about how one finds a chain of trusted signed PGP keys to the downloaded public key and verifies that, or they could be something as simple as posting the fingerprint on https://riot.im/desktop.html and simple instructions on how to verify the fingerprint before enabling it for use with apt.
I realize that this might still a security vulnerability, because one might be served a version of https://riot.im/desktop.html that has been maliciously modified to show a different fingerprint, but https should help prevent that, and this seems better than enabling the downloaded key for apt signing without any verification whatsoever.