Verification of flatpaks using GPG
Alexander Larsson
alexl at redhat.com
Wed Jun 5 11:44:49 UTC 2019
On Wed, Jun 5, 2019 at 12:20 PM Martin Sehnoutka <msehnout at redhat.com> wrote:
>
> Hi,
>
> Flatpak uses GPG to verify packages (flatpaks), right? I checked the
> source code and documentation and I assume the answer is yes, just want
> to be sure :-)
Yes, or rather ostree does so on the behalf of flatpak.
> I have few questions regarding the key storage. Where are the keys
> stored? Are they somehow verified before each transaction or just
> trusted since the day they were imported?
Typically each remote has a key in the repo directory, For example
/var/lib/flatpak/repo/flathub.trustedkeys.gpg for my system flatpak
remote. A remote can also trigger adding a new key by adding some
metadata in the (signed with old key summary file), although when you
eventually switch over to the new one you'll risk kicking out whoever
didn't run an update "lately". The initial key is installed when the
remote is added, typically from the .flatpakrepo file.
The summary file and each commit is signed, and we verify it while
pulling from the remote, and abort the download if it fails.
> I wrote an extension for dnf (the package manager for Fedora) which can
> automatically verify the key during the import phase and also check
> already imported keys from RPM database before each transaction. I
> wonder if the same approach would be applicable to flatpak or it works
> differently.
Verify in what sense? You mean for old keys?
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl at redhat.com alexander.larsson at gmail.com
More information about the Flatpak
mailing list