GPG Package Signing Key needs to be in the public keyserver network



  • Please publish the [b][email protected][/b] GPG signing key to the GPG keyserver network so it can be reliably retrieved by gpg. The current HTTP web-site method of distribution the public key is horrendous and not fit for purpose - there is no security in publishing the key over an unencrypted HTTP channel since it could be substituted for some other key, allowing a malicious MITM attacker to install a compromised software package on users devices. Your staff (with email addresses @vivaldi.net) should sign and trust the key so that users can evaluate that trust. I'm surprised a browser 'manufacturer' (who should be focused on the user's security) would distribute code that cannot be trusted in this way.



  • Yes pls, i'd also like this. I'm still puzzled that we don't even have the file hashes available to us to check any manual installer downloads we do, but adopting the OP's suggestion would be better still.



  • File hashes would be an additional aid but the same issue would occur - unless they're signed by the Vivaldi GPG key, and that key can be got from the public key-servers and is signed by other easily-verified vivaldi.net keys that are associated with well-known publicly visible Vivaldi email addresses, there is no chain of trust.

    Considering it only takes 15 seconds to push one's GPG key to a public key-server the fact this issue still endures doesn't inspire confidence.



  • I just pinged a Vivaldi Linux developer to check GPG key issue!



  • Bump.



  • I pinged once more (i fear the one is asked is now in summer vacation).



  • Thanks GD. I hope we get a good response to this soon. For example, here's how Linux Mint do it https://linuxmint.com/verify.php โ€“ i'd prefer if Vivaldi was similar.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.