Opened 5 years ago

Closed 4 years ago

#1167 closed Bug / Defect (fixed)

Windows installer signatured with wrong private key?

Reported by: mosesofmason Owned by: Samuli Seppänen
Priority: critical Milestone:
Component: Packaging Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

The WINDOWS INSTALLER file [0] looks like signed by an unknown key instead of being signed with the "Security mailing list GPG key" as stated in the "GnuPG Public Key" page [2].

The current key signed the file is using RSA key 82175D35AA8D0E8BDE5F4F9E5DC351805ACFEAC6 which does not match the "Security mailing list GPG key". Please check if this is a mistake or a security exploit.

[0] https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.7-I603.exe
[1] https://openvpn.net/community-resources/sig/

Change History (2)

comment:1 Changed 5 years ago by plaisthos

The security key gets rotated yearly (new subkey added). The page was forgotten to update. The gpg on the contact page (https://openvpn.net/contact/) is already updated. That page should be updated soon.

comment:2 Changed 4 years ago by Gert Döring

Resolution: fixed
Status: newclosed

Fixed in the meantime. Apologies for not providing quicker feedback.

Note: See TracTickets for help on using tickets.