Opened 5 years ago
Closed 4 years ago
#1167 closed Bug / Defect (fixed)
Windows installer signatured with wrong private key?
Reported by: | mosesofmason | Owned by: | Samuli Seppänen |
---|---|---|---|
Priority: | critical | Milestone: | |
Component: | Packaging | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
The WINDOWS INSTALLER file [0] looks like signed by an unknown key instead of being signed with the "Security mailing list GPG key" as stated in the "GnuPG Public Key" page [2].
The current key signed the file is using RSA key 82175D35AA8D0E8BDE5F4F9E5DC351805ACFEAC6 which does not match the "Security mailing list GPG key". Please check if this is a mistake or a security exploit.
[0] https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.7-I603.exe
[1] https://openvpn.net/community-resources/sig/
Change History (2)
comment:1 Changed 5 years ago by
comment:2 Changed 4 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Fixed in the meantime. Apologies for not providing quicker feedback.
Note: See
TracTickets for help on using
tickets.
The security key gets rotated yearly (new subkey added). The page was forgotten to update. The gpg on the contact page (https://openvpn.net/contact/) is already updated. That page should be updated soon.