Skip to content

Instantly share code, notes, and snippets.

@NicoHood NicoHood/ Secret

Created Aug 22, 2018
What would you like to do?

Hey, me and a few other users noticed a GPG key change with the recent debian package updates. I am packaging spotify-stable on the Archlinux User Repository (AUR).

In order to provide a secure package for me and everyone else it is crucial, to only download trustworthy sources from spotify. That is why they are signed with GPG. However if the key randomly changes, without any upstream notification from spotify, we have to assume the servers were a) possibly compromised or b) spotify changed its key, but did not notify us users.

Now the question is: Where can I find any official information/statement that the key has changed and we can trust the new one.

The old key was: 0DF731E45CE24F27EEEB1450EFDC8610341D9410

The new key is: 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90

The new key is also mentioned here:

If we assume a) is true, we have to not trust any content on the spotify servers. That means the .deb files (with new key signatures) and the content (install instructions) as well. The only way for spotify to make us trust the new key is to sign the new key with the old one. That is a common practise. And the old one then must be revoked, if possible.

This means spotify must take some action before I can update any package. Otherwise users might be in danger. Although it is very unlikely that spotify got hacked, we still have to treat this issue with care. Similar incidents happened with Linux Mint or Handbrake.

Tl;Dr: Spotify, please sign the new gpg key with the old one. Community, please make spotify notice this post by upvoting the whole topic, this post or leaving a comment.

I will post this comment to the following threads:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.