Verification of flatpaks using GPG
Alexander Larsson
alexl at redhat.com
Wed Jun 5 12:38:26 UTC 2019
On Wed, Jun 5, 2019 at 2:36 PM Martin Sehnoutka <msehnout at redhat.com> wrote:
>
> > So, given a flatpakrepo file with some arbitrary gpg key. How would it
> > know what that the author created that key? Keyserver? Can't anyone
> > add whatever they want to a keyserver? Chain of trust? Who defines the
> > trust roots?
>
> The key is stored in a DNS server and it uses DNSSEC to verify the key.
> So the chain of trust starts with the root zone signing key which is
> installed with the operating system. So as far as you trust the OS
> installation it should be fine :).
>
> It uses this algorithm:
> https://tools.ietf.org/html/rfc7929#section-3
> to map the email address associated with the GPG key into a domain.
>
> So the author of the flatpakrepo file must be in charge of the DNS
> server responsible for the mailserver domain. e.g. for Fedora signing
> keys this key:
> fedora-29 at fedoraproject.org
> maps to this domain:
> 557d8ff0f0f4c6c9fc7140670cc85400dcee5aeb1ac2412e90f41e45._openpgpkey.fedoraproject.org
>
> and you can get the key like this:
> $ dig <the-domain-from-above> OPENPGPKEY
>
> Of course it could be a problem for an individual who uses email from
> Gmail or similar server.
>
> I hope this answers the questions above.
Cool, yeah, that makes a lot of sense.
More information about the Flatpak
mailing list