Verification of flatpaks using GPG
Martin Sehnoutka
msehnout at redhat.com
Wed Jun 5 10:20:40 UTC 2019
Hi,
Flatpak uses GPG to verify packages (flatpaks), right? I checked the
source code and documentation and I assume the answer is yes, just want
to be sure :-)
I have few questions regarding the key storage. Where are the keys
stored? Are they somehow verified before each transaction or just
trusted since the day they were imported?
I wrote an extension for dnf (the package manager for Fedora) which can
automatically verify the key during the import phase and also check
already imported keys from RPM database before each transaction. I
wonder if the same approach would be applicable to flatpak or it works
differently.
Source code: https://github.com/rpm-software-management/dnf/pull/1085
Regards,
--
Martin Sehnoutka
Software Engineer
Red Hat
More information about the Flatpak
mailing list