Re: "Important Information Regarding Zoom Desktop ...

arossi · ‎2022-10-12

Hi,

some users in my company received an email notifying that Zoom will be retiring the current key pair used to sign the Linux client on November 2, 2022. and requesting users to download and trust the new public key (see attached screenshot)

Requiring to download directly from the email instead of inviting to do it after logging into the site is quite suspicious.

I can't find any official communication or release note on the website.

Anyone experiencing the same or clue of communication authenticity?

Thanx

jerryb8 · ‎2022-10-12

I have also been contacted by a user receiving this message. Is this genuine or a scam?

danensis · ‎2022-10-12

I received this, and was somewhat suspicious as it was addressed to "Dear Valued Customer" which is the usual form of address in scams.
I tried clicking on the link, and the file downloaded, but the instructions didn't work, so I didn't chase it up

jerryb8 · ‎2022-10-12

Thanks for this. It would be really useful if Zoom could prioritize this as soon as possible and give a response. They should know whether they created this or not!

dwochele · ‎2022-10-12

I got this too, distributed via the licence contact. I am unsure.... Can not find direkt info in zoom website.

UK_Dave · ‎2022-10-12

I've end up here for the same reason, is it a scam?

quakeyjase · ‎2022-10-12

Stupidly, I think I may already have fallen for this! My only hope is I might not actually be adept enough to have successfully followed the instructions. If I have, would it be enough to delete the client and reinstall from the zoom download site, or is that too optimistic?

arossi · ‎2022-10-12

download link redirect to click[.]zoom[.]us wich is different from zoom.us and has different SSL certificate from *.zoom.us

It is very suspicious.

Email is from *********** wich looks authentic but it may be a spoofed email that passed the DMARC/DKIM/SPF controls

I opened a ticket at https://zoom.us/trust-form for support

quakeyjase · ‎2022-10-12

Thanks for this. I am unable to open a ticket as I only have a Basic account and zoom don't want to hear from me. I am using zoom for community group meetings on a no-budget basis.

quakeyjase · ‎2022-10-12

I did the above and reapplied the publc key after downloading it afresh from the zoom website. It notified me that it was unchanged with the reinstalled zoom client. Am I dreaming, or is that probably okay now?

jerryb8 · ‎2022-10-12

Personally in your situation I wouldn't start up Zoom again until you get an official response from them. But they are certainly not in a hurry to respond.

quakeyjase · ‎2022-10-12

Thanks that's pretty sound advice. I have put the word out that there might be an issue. Most of my network are windows/mac, so I'm hoping it is restricted to Linux.

pabigotllc · ‎2022-10-12

I too was forwarded that message, and when I use wget to download the key from the link in the message it's identical to what I download with Chrome from https://zoom.us/download#client_4meeting. The fingerprint of the key also matches what's on the download page. So it's probably fine.

meer5[129]$ gpg --show-keys --fingerprint /tmp/package-signing-key.pub
pub rsa2048 2015-06-07 [SC]
3960 60CA DD8A 7522 0BFC B369 B903 BF18 61A7 C71D
uid Zoom Video Communcations, Inc. Linux Package Signing Key <***********>
sub rsa2048 2015-06-07 [E]

quakeyjase · ‎2022-10-12

That sounds hopeful to me. And am I right in thinking that if a scammer has tried to get me to apply a bogus key, the most they can have is credentials to attend/host meetings with my existing account? So if I scrub my account and start a new one without attending any in the meantime, am I good to go? Sorry for my dimness and asking a lot of stupid questions! I'm finding this difficult to get my head around!

quakeyjase · ‎2022-10-12

If someone from zoom.us could answer the following definitively I would be very grateful:

1) Did they send the original email? (Y/N)

2) If N to 1), would the measures I described above (reinstall client and public key) be enough to neutralise the risk? (Y/N)

3) If N to 2), should I delete my account and start a new one before using zoom? (Y/N)

4) If Y to 3), is there anything else I need to do in order to use zoom again safely? If so, what?

jerryb8 · ‎2022-10-12

It would also be interesting to know whether people are receiving these emails who are not registered with Zoom, and have never been. If they are, then it looks like this is just a general scam. OTOH if only registered users are receiving them, it would imply they are genuine, or that Zoom's customer data has been compromised.

Obviously it would also be interesting to know why Zoom are not responding to this.

quakeyjase · ‎2022-10-12

Right. I've just managed to get through to the technical team on a webchat, which I couldn't manage to do earlier. It seems the original email was genuine, and here's a link that should help: https://support.zoom.us/hc/en-us/articles/9836712961165 . I think we can all relax, thanks to the developer. I made a cheeky request that the developer review this thread when they have time and try to make any future messages less ambiguous, based on the flags that were raised for us. I don't know about you but I will literally sleep better tonight now!

jerryb8 · ‎2022-10-12

Thanks for sorting this out, much appreciated!

quakeyjase · ‎2022-10-12

No worries, just passing on what I found out from zoom.us .

iwaita2ya · ‎2022-10-12

The article above explans the key fingerprint of GPG signature will be changed from "3960 60CA DD8A 7522 0BFC B369 B903 BF18 61A7 C71D" to "59C8 6188 E22A BB19 BD55 4047 7B04 A1B8 DD79 B481" however when I downloaded the new package-signing-key.pub from the URL specified on the email but the fingerprint is the same as the current fingerprint starting from 3960.

below is the actual result of checking fingerprint:

$ gpg --show-keys package-signing-key.pub
pub rsa2048 2015-06-07 [SC]
396060CADD8A75220BFCB369B903BF1861A7C71D
uid Zoom Video Communcations, Inc. Linux Package Signing Key <***********>
sub rsa2048 2015-06-07 [E]

Are they not ready to provide new pub key? Or are they provide us wrong download URL on emai?

MerricksMan · ‎2022-10-21

Well, as they announced. On the 2nd of November 2022 there will be hopefully a new gpg key for of us to prove if the zoom client is legit. It's a bit slack but what can you do.

iwaita2ya · ‎2022-10-25

Zoom has updated the original announcement and the new gpg key is finally available at the download center! I have confirmed the new gpg key fingerprint is matched as they announced.

Seems we are all set to upgrade! 😀

https://zoom.us/download?os=linux

$ gpg --show-keys package-signing-key-5-12-6.pub 
pub   rsa4096 2022-08-18 [SC]
      59C86188E22ABB19BD5540477B04A1B8DD79B481
uid                      Zoom Video Communications, Inc. <***********>
sub   rsa2048 2022-08-18 [A]
sub   rsa2048 2022-08-18 [E]

Rick-Pony · ‎2022-10-26

Yes, they updated the corrcet gpg key file. The latest version of zoom client on linux now is 5.12.2; the package-signing-key.pub by clicking For version 5.12.6 or above.

So my question is : if we found we can't upgrade to the version 5.12.6, shall we remove the old zoom software and download the latest version and install it? Maybe it's more easier.

MerricksMan · ‎2022-10-26

It worked for me now. The new public key seems legit and is importable per gpg.

I upgraded the Zoom Client successfully to 5.12.2 on Debian, Ubuntu, Mint environments with the following commands:

1. Change to a Download directory

cd ~/Downloads

2. Get the new public signing key

wget -O package-signing-key.pub https://zoom.us/linux/download/pubkey?version=5-12-6

3. Check the public signing key

gpg --show-keys package-signing-key.pub

4. Import the key

sudo gpg --import package-signing-key.pub

5. Get the new and upgraded Zoom DEB-Package

wget https://zoom.us/client/latest/zoom_amd64.deb

6. Install the Zoom DEB-Package

sudo apt install ./zoom_amd64.deb

7. Check if the Client starts closes properly

zoom &

8. Happy Zooming

I had an old client which was removed properly during the install. So there is no need to remove it in the first place. But it wouldn't matter if you do, so no worries.

Of course is it possible to automated and schedule all this with a nice script for goodness sake. Alternatives might be snap packages and flatpaks. But I am to old school. I stick with debs and rpms and old rotting repositories for now 😉

All the above commands comes without any guarantee.

Cheers

jerryb8 · ‎2022-10-26

Hi

Thanks for such clear instructions. I talked a user through these and intallation went without a hitch.

Jerry

Rick-Pony · ‎2022-10-27

We are using the 5.12.2 version now. so the gpg is not affect the old version on your computer. if we need to update the clinet to 5.12.6, the public key will be needed. but no 5.12.6 release now.

MerricksMan · ‎2022-10-27

You're absolutely right. You could also import both keys and then you are set for the future 😉

Just make sure the keys are legit. And the former wasn't in the time of writing of my first reply. I mean why would the Zoom dev-team talk about a version 5.12.6 which isn't available anyway yet? And why don't they get those gpg keys organized? I for myself just want to make sure that I load and install the right package from a trustworthy source. That's all what it is about. And therefor signed packages were invented.

sanjaM · ‎2022-10-25

I'm a Linux user, but I use laptop. Does that apply in my case?

jerryb8 · ‎2022-10-26

Yes, if you follow the instructions from MerricksMan above you should be ok.

MerricksMan · ‎2022-10-26

I wrote a little guide. You find it here https://community.zoom.com/t5/OnZoom/Installing-and-Upgrading-Zoom-desktop-client-on-Linux/td-p/8205...

Zoom One

Zoom Spaces

Zoom Events

Zoom Contact Center

Industries

Services

Developer Platform

Partners

Explore

Learn

Connect

Support

Download Zoom Client

Zoom Virtual Backgrounds

Zoom One

Zoom AI

Zoom Spaces

Zoom Events

Zoom Contact Center

"Important Information Regarding Zoom Desktop Client for Linux"