Mention PPA signing key in installation instructions

[joelpurra]

• They PPA signing key may not be installed automatically on all systems.
• Installation through apt will not work without the signing key.
• Explicitly mentioning the key id aids those who need to retrieve it manually.

Note that I cannot personally vouch for the validity of the key; that is up to the developer/PPA packager. @JoseExposito can you confirm that 7EA12677D47B593CE22727D4C0FCE32AF6B96252 is the correct PPA signing key? (Either stating it explicitly, or implicitly by merging this commit.)

Closes #602, although it was already closed.

Also aids some users in #604, #578, #472, #466, #462, etcetera in case they attempt manual installation of the PPA signing key. The underlying problem seems to be that the Ubuntu keyserver is unstable, and responds with "Not found" half of the time (test using link above). In most cases it is easier to just repeat sudo add-apt-repository ppa:touchegg/stable a few times, until the server responds and the key is downloaded/installed automatically.

[joelpurra]

@JoseExposito: as mentioned, explicitly adding the signing key fingerprint to README.md isn't necessary. Your comment already confirms that it is correct and that is technically enough; the change/fix on the PPA website also helps. (See screenshots below.)

The main reason to merge this pull request is to help users who download the key separately to verify the touchegg package. If you feel it takes "space" in README.md you may choose to close this pull request. Thank you either way =)

---

You mention that the fingerprint is visible on the PPA page; I can confirm that this is the case today. The screenshot by @Freemason-12 in https://github.com/JoseExposito/touchegg/issues/602#issue-1410410169 show that it was not visible in October last year. (Am not sure what it looked like in June 2023.)

Screenshot 2022-10-16:

Screenshot 2023-07-28:

---

Having the signing key fingerprint explicitly mentioned in README.md means added security for some users, because they could then more easily verify the touchegg package.

• For when the add-apt-repository command fails to download/install the signing key. This seems to happen relatively often; manually try the link to the keyserver and refresh a few times. (See the several linked issues.)
• For users who add the PPA to /etc/apt/sources.list.d/ manually (perhaps on Debian).

These users would likely want to confirm that the fingerprint they see in their terminal is the correct one.

The recent server-side change/fix on the PPA page adds another way to discover the signing key though. Otherwise they would have to manually search Github and find this pull request, and within it your comment with your confirmation.

(Debian users may be able to install software-properties-common from software-properties to get the add-apt-repository helper.)

[JoseExposito]

Oh, I'd love to get this one merged. This issue popped in the bug tracker a few times and it'd be great to make the fix obvious.

However, I think that it'd be nice to give users a bit more context. Maybe we could add something like:

---

$ sudo add-apt-repository ppa:touchegg/stable
$ sudo apt update
$ sudo apt install touchegg

If these commands fail with error GPGKeyTemporarilyNotFoundError or The following signatures couldn't be verified because the public key is not available, add the signing key manually with the following command:

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C0FCE32AF6B96252

---

What do you think?

[joelpurra]

@JoseExposito: generally, I'd say Ubuntu users should simply "rerun add-apt-repository until it succeeds". Updated the pull request.

• apt-key has been deprecated several years; users should now manually download the key and put it in the correct place. (The "correct" place may depend on type of package.)
• add-apt-repository is also deprecated, but am unsure if that is true for all use-cases.

---

As noted in another issue, your PPA key was (seemingly) removed from Ubuntu's keyserver. They may have reset the system or something, which would explain the recent 404 errors (and probably error 500 too). I find that to be unexpected but did not investigate why, since it's easy to re-upload the key.

Simple public key management

Anyone can upload any public OpenPGP/GnuPG key; I just re-uploaded yours. This [may be considered rude in some situations](https://en.wikipedia.org/wiki/Key_server_(cryptographic)#Privacy_concerns); it's better if you monitor regularly and upload/update your own key as needed. ```shell # NOTE: download and merge the latest key packets. gpg --keyserver keyserver.ubuntu.com --receive-keys 7EA12677D47B593CE22727D4C0FCE32AF6B96252 ``` ```shell # NOTE: upload and publish local key packets. gpg --keyserver keyserver.ubuntu.com --send-keys 7EA12677D47B593CE22727D4C0FCE32AF6B96252 ``` Since Ubuntu's keyserver is unreliable, you might want to upload (and maintain) your key to a few [other keyservers](https://en.wikipedia.org/wiki/Key_server_(cryptographic)#Keyserver_examples), too.

[joelpurra]

@JoseExposito: no worries. Avoided writing more general instructions (Debian etcetera) for manual source list and key handling though, since the PPA is very Ubuntu-focused (version/codename).