Zoomtopia is here. Unlock the transformative power of generative AI, helping you connect, collaborate, and Work Happy with AI Companion.
Register nowEmpowering you to increase productivity, improve team effectiveness, and enhance skills.
Learn moreKeep your Zoom app up to date to access the latest features.
Download Center Download the Zoom appDownload hi-res images and animations to elevate your next Zoom meeting.
Browse Backgrounds Zoom Virtual BackgroundsEmpowering you to increase productivity, improve team effectiveness, and enhance skills.
Zoom AI Companionā2022-10-12 12:32 AM
Hi,
some users in my company received an email notifying that Zoom will be retiring the current key pair used to sign the Linux client on November 2, 2022. and requesting users to download and trust the new public key (see attached screenshot)
Requiring to download directly from the email instead of inviting to do it after logging into the site is quite suspicious.
I can't find any official communication or release note on the website.
Anyone experiencing the same or clue of communication authenticity?
Thanx
ā2022-10-12 01:05 AM
I have also been contacted by a user receiving this message. Is this genuine or a scam?
ā2022-10-12 01:21 AM
I received this, and was somewhat suspicious as it was addressed to "Dear Valued Customer" which is the usual form of address in scams.
I tried clicking on the link, and the file downloaded, but the instructions didn't work, so I didn't chase it up
ā2022-10-12 01:31 AM
Thanks for this. It would be really useful if Zoom could prioritize this as soon as possible and give a response. They should know whether they created this or not!
ā2022-10-12 02:39 AM
I got this too, distributed via the licence contact. I am unsure.... Can not find direkt info in zoom website.
ā2022-10-12 04:33 AM
I've end up here for the same reason, is it a scam?
ā2022-10-12 06:55 AM
Stupidly, I think I may already have fallen for this! My only hope is I might not actually be adept enough to have successfully followed the instructions. If I have, would it be enough to delete the client and reinstall from the zoom download site, or is that too optimistic?
ā2022-10-12 07:16 AM
download link redirect to click[.]zoom[.]us wich is different from zoom.us and has different SSL certificate from *.zoom.us
It is very suspicious.
Email is from *********** wich looks authentic but it may be a spoofed email that passed the DMARC/DKIM/SPF controls
I opened a ticket at https://zoom.us/trust-form for support
ā2022-10-12 07:20 AM
Thanks for this. I am unable to open a ticket as I only have a Basic account and zoom don't want to hear from me. I am using zoom for community group meetings on a no-budget basis.
ā2022-10-12 07:17 AM
I did the above and reapplied the publc key after downloading it afresh from the zoom website. It notified me that it was unchanged with the reinstalled zoom client. Am I dreaming, or is that probably okay now?
ā2022-10-12 07:25 AM
Personally in your situation I wouldn't start up Zoom again until you get an official response from them. But they are certainly not in a hurry to respond.
ā2022-10-12 07:32 AM
Thanks that's pretty sound advice. I have put the word out that there might be an issue. Most of my network are windows/mac, so I'm hoping it is restricted to Linux.
ā2022-10-12 08:08 AM
I too was forwarded that message, and when I use wget to download the key from the link in the message it's identical to what I download with Chrome from https://zoom.us/download#client_4meeting. The fingerprint of the key also matches what's on the download page. So it's probably fine.
meer5[129]$ gpg --show-keys --fingerprint /tmp/package-signing-key.pub
pub rsa2048 2015-06-07 [SC]
3960 60CA DD8A 7522 0BFC B369 B903 BF18 61A7 C71D
uid Zoom Video Communcations, Inc. Linux Package Signing Key <***********>
sub rsa2048 2015-06-07 [E]
ā2022-10-12 08:15 AM
That sounds hopeful to me. And am I right in thinking that if a scammer has tried to get me to apply a bogus key, the most they can have is credentials to attend/host meetings with my existing account? So if I scrub my account and start a new one without attending any in the meantime, am I good to go? Sorry for my dimness and asking a lot of stupid questions! I'm finding this difficult to get my head around!
ā2022-10-12 09:08 AM
If someone from zoom.us could answer the following definitively I would be very grateful:
1) Did they send the original email? (Y/N)
2) If N to 1), would the measures I described above (reinstall client and public key) be enough to neutralise the risk? (Y/N)
3) If N to 2), should I delete my account and start a new one before using zoom? (Y/N)
4) If Y to 3), is there anything else I need to do in order to use zoom again safely? If so, what?
ā2022-10-12 10:09 AM
It would also be interesting to know whether people are receiving these emails who are not registered with Zoom, and have never been. If they are, then it looks like this is just a general scam. OTOH if only registered users are receiving them, it would imply they are genuine, or that Zoom's customer data has been compromised.
Obviously it would also be interesting to know why Zoom are not responding to this.
ā2022-10-12 01:07 PM
Right. I've just managed to get through to the technical team on a webchat, which I couldn't manage to do earlier. It seems the original email was genuine, and here's a link that should help: https://support.zoom.us/hc/en-us/articles/9836712961165 . I think we can all relax, thanks to the developer. I made a cheeky request that the developer review this thread when they have time and try to make any future messages less ambiguous, based on the flags that were raised for us. I don't know about you but I will literally sleep better tonight now!
ā2022-10-12 02:15 PM
Thanks for sorting this out, much appreciated!
ā2022-10-12 04:33 PM
No worries, just passing on what I found out from zoom.us .
ā2022-10-12 08:05 PM
The article above explans the key fingerprint of GPG signature will be changed from "3960 60CA DD8A 7522 0BFC B369 B903 BF18 61A7 C71D" to "59C8 6188 E22A BB19 BD55 4047 7B04 A1B8 DD79 B481" however when I downloaded the new package-signing-key.pub from the URL specified on the email but the fingerprint is the same as the current fingerprint starting from 3960.
below is the actual result of checking fingerprint:
$ gpg --show-keys package-signing-key.pub
pub rsa2048 2015-06-07 [SC]
396060CADD8A75220BFCB369B903BF1861A7C71D
uid Zoom Video Communcations, Inc. Linux Package Signing Key <***********>
sub rsa2048 2015-06-07 [E]
Are they not ready to provide new pub key? Or are they provide us wrong download URL on emai?
ā2022-10-21 11:55 AM
Well, as they announced. On the 2nd of November 2022 there will be hopefully a new gpg key for of us to prove if the zoom client is legit. It's a bit slack but what can you do.
ā2022-10-25 07:39 PM
Zoom has updated the original announcement and the new gpg key is finally available at the download center! I have confirmed the new gpg key fingerprint is matched as they announced.
Seems we are all set to upgrade! š
https://zoom.us/download?os=linux
$ gpg --show-keys package-signing-key-5-12-6.pub
pub rsa4096 2022-08-18 [SC]
59C86188E22ABB19BD5540477B04A1B8DD79B481
uid Zoom Video Communications, Inc. <***********>
sub rsa2048 2022-08-18 [A]
sub rsa2048 2022-08-18 [E]
ā2022-10-26 01:42 AM
Yes, they updated the corrcet gpg key file. The latest version of zoom client on linux now is 5.12.2; the package-signing-key.pub by clicking For version 5.12.6 or above.
So my question is : if we found we can't upgrade to the version 5.12.6, shall we remove the old zoom software and download the latest version and install it? Maybe it's more easier.
ā2022-10-26 06:28 AM
It worked for me now. The new public key seems legit and is importable per gpg.
I upgraded the Zoom Client successfully to 5.12.2 on Debian, Ubuntu, Mint environments with the following commands:
1. Change to a Download directory
cd ~/Downloads
2. Get the new public signing key
wget -O package-signing-key.pub https://zoom.us/linux/download/pubkey?version=5-12-6
3. Check the public signing key
gpg --show-keys package-signing-key.pub
4. Import the key
sudo gpg --import package-signing-key.pub
5. Get the new and upgraded Zoom DEB-Package
wget https://zoom.us/client/latest/zoom_amd64.deb
6. Install the Zoom DEB-Package
sudo apt install ./zoom_amd64.deb
7. Check if the Client starts closes properly
zoom &
8. Happy Zooming
I had an old client which was removed properly during the install. So there is no need to remove it in the first place. But it wouldn't matter if you do, so no worries.
Of course is it possible to automated and schedule all this with a nice script for goodness sake. Alternatives might be snap packages and flatpaks. But I am to old school. I stick with debs and rpms and old rotting repositories for now š
All the above commands comes without any guarantee.
Cheers
ā2022-10-26 01:04 PM
Hi
Thanks for such clear instructions. I talked a user through these and intallation went without a hitch.
Jerry
ā2022-10-27 04:33 AM
We are using the 5.12.2 version now. so the gpg is not affect the old version on your computer. if we need to update the clinet to 5.12.6, the public key will be needed. but no 5.12.6 release now.
ā2022-10-27 06:41 AM
You're absolutely right. You could also import both keys and then you are set for the future š
Just make sure the keys are legit. And the former wasn't in the time of writing of my first reply. I mean why would the Zoom dev-team talk about a version 5.12.6 which isn't available anyway yet? And why don't they get those gpg keys organized? I for myself just want to make sure that I load and install the right package from a trustworthy source. That's all what it is about. And therefor signed packages were invented.
ā2022-10-25 11:01 AM
I'm a Linux user, but I use laptop. Does that apply in my case?
ā2022-10-26 01:06 PM
Yes, if you follow the instructions from MerricksMan above you should be ok.
ā2022-10-26 02:18 PM - edited ā2022-10-26 02:32 PM
I wrote a little guide. You find it here https://community.zoom.com/t5/OnZoom/Installing-and-Upgrading-Zoom-desktop-client-on-Linux/td-p/8205...