Conversations about life & privacy in the digital age

Ubuntu/Debian APT repository GPG key update

Hello Debian friends!

The GPG key for our Ubuntu/Debian APT repository expires today. We’ve created a new key that you can get here: https://spideroak.com/dist/spideroak-apt-2013.asc. We will have new builds shortly that include the new key.

The new key looks like this:

pub   1024D/08C15DD0 2013-09-20 [expires: 2016-09-19]
      Key fingerprint = FE45 E533 0B11 DCF0 3247  EF49 A6FF 22FF 08C1 5DD0
uid                  SpiderOak Apt Repository 

UPDATE: New .deb packages are available on the Download Page. This will automatically update your apt keys and ensure you continue to get updates.

Advanced users can install the new key with this command:

curl https://spideroak.com/dist/spideroak-apt-2013.asc | sudo apt-key add -

After installing the new key, update your package manager and you’ll be able to upgrade to future versions of SpiderOak without issue.

Comments

  1. Thank you for the upgrade. Nevertheless, I think you should have created a much stronger key of 2048 bits at least instead of keep on using a brute-force vulnerable Diffie-hellman key of just 1024 bits.

  2. Peter Petrov says:

    There is also an issue with the SSL certificate for https://apt.spideroak.com/ – try visiting it in Chrome and you’ll see (the certificate presented is for spideroak.com only, non-wildcard).

    • Chip Black says:

      apt.spideroak.com doesn’t use https. APT uses a PGP-based verification system so HTTPS isn’t needed to verify integrity.

      • Chris says:

        Yeah but it still gives an invalid cert error when browsing through a web page. It used to work, despite it not really being a front-facing webpage and just an index.