GPG validation Key installation

I'm in the same boat too. The email almost looked like a phishing attempt. There is no mention of GPG key rotation on your website.

I received a message from "Zoom Video Communications <***********>" stating that they will be retiring the current key pair used to sign the Linux client on November 2, 2022, and gives the instructions referred to by adit47.

I am somewhat reluctant to follow the instructions, given the many instances of phishing, and would request from this community assurance that this is legit!  I have not gone so far as to test the commands recommended so I cannot comment on their efficacy. 

Thanks!

Same here. The commands are a garbled mess, and neither one works. All I get is error messages when I run them. I am pretty sure that the email comes from zoom.us, so it's most likely legitimate, but I am at a complete loss as to what to do now.

HEY ZOOM! Does this mean my Linux client will stop working on November 2, 2022? If so, then how in the world do I fix it? Uninstall, then re-install the client after November 2?

I also received the e-mail and wonder if it was a scam too... it is so suspicious that it is not commented on the web...

I would wait until it is announced there...   however it looks like the kind of instructions you would receive to install a new gpg key:

``` gpg --import ~/Downloads/package-signing-key.pub ```

``` dpkg-sig --verify ./zoom.deb ```

I'm also concerned about the email I received resembling a phishing attempt. I can't find anything on the website referring to this. Please Zoom folks, publish something or give us a link.

I think I can help. This appears legit..

After you run gpg command, download the latest Ubuntu client from the download center:

zoom_amd64.deb                     (or equivalent for your OS)

run dpkg-sig --verify ./zoom_amd64.deb            (you may have to be in the /Downloads directory for this to work).

You'll receive:

GOODSIG _gpgbuilder XXXXXXXXXXXXXXXXXXXXXXXXXXX #########

Where the X and # characters will be a unique validation string.

Admittedly, the instructions absolutely SUCKED, but that's what we get for using mongrel Ubuntu  🙂

JB

Same here... Any confirmation from Zoom yet?

The email apparently passes SPF,DKIM,DMARC tests so seems to be legitimate. But the instruction are so suspicious and there is nothing on their website to back it up. I've opened a support ticket about it. If I get an answer I'll post it here.

Would simply reinstalling the client fix the problem does anyone know? It feels like that would be the safest course of action if there is some uncertainty. You would imagine a fresh install wouldn't suffer from the same problem.

Just had a holding response from their tech support. "This issue is already being investigated by our Engineering team. Please don't uninstall the zoom client yet.".