Verification of flatpaks using GPG
gandersson
gandersson at genivi.org
Wed Jun 5 14:50:20 UTC 2019
Martin,
I found it interesting, so I jump in...
On Wed, 2019-06-05 at 13:59 +0200, Martin Sehnoutka wrote:
> [...trimmed...]
> > > I wrote an extension for dnf (the package manager for Fedora)
> > > which can automatically verify the key during the import phase
> > > and also check already imported keys from RPM database before
> > > each transaction. I wonder if the same approach would be
> > > applicable to flatpak or it works differently.
> >
> > Verify in what sense? You mean for old keys?
>
> During the first usage it verifies that the key is indeed the
> one from the author. e.g. for Fedora package signing keys
> it will check that the key is the one listed here:
> https://getfedora.org/en/security/
> (it will do that by other means than checking the website,
> but the idea is the same)
Why not explain what you mean by "other means"? Are there other
means than to compare to something fetched from a known site,
or to ask gpg if the key is verified (as indicated by
existing signatures for the key, coming from other
trusted keys?)
(Feel free to just point to the code if that's easier)
Thanks,
- Gunnar
--
Gunnar Andersson <gandersson at genivi.org>
Development Lead
GENIVI Alliance
More information about the Flatpak
mailing list