Verification of flatpaks using GPG
Jeremiah C. Foster
jeremiah.foster at puri.sm
Wed Jun 5 15:43:17 UTC 2019
On Wed, 2019-06-05 at 14:38 +0200, Alexander Larsson wrote:
> On Wed, Jun 5, 2019 at 2:36 PM Martin Sehnoutka <msehnout at redhat.com>
> wrote:
> > > So, given a flatpakrepo file with some arbitrary gpg key. How
> > > would it
> > > know what that the author created that key? Keyserver? Can't
> > > anyone
> > > add whatever they want to a keyserver? Chain of trust? Who
> > > defines the
> > > trust roots?
> >
> > The key is stored in a DNS server and it uses DNSSEC to verify the
> > key.
Is this documented somewhere?
> > So the chain of trust starts with the root zone signing key which
> > is
> > installed with the operating system. So as far as you trust the OS
> > installation it should be fine :).
> > It uses this algorithm:
> > https://tools.ietf.org/html/rfc7929#section-3
> > to map the email address associated with the GPG key into a domain.
> >
> > So the author of the flatpakrepo file must be in charge of the DNS
> > server responsible for the mailserver domain. e.g. for Fedora
> > signing
> > keys this key:
> > fedora-29 at fedoraproject.org
> > maps to this domain:
> > 557d8ff0f0f4c6c9fc7140670cc85400dcee5aeb1ac2412e90f41e45._openpgpke
> > y.fedoraproject.org
> >
> > and you can get the key like this:
> > $ dig <the-domain-from-above> OPENPGPKEY
$ dig fedoraproject.org OPENPGPKEY
; <<>> DiG 9.11.5-P4-5-Debian <<>> fedoraproject.org OPENPGPKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45768
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;fedoraproject.org. IN OPENPGPKEY
;; AUTHORITY SECTION:
fedoraproject.org. 300 IN SOA ns04.fedoraproject.org.
hostmaster.fedoraproject.org. 2559566740 3600 600 2419200 86400
;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 05 11:19:47 EDT 2019
;; MSG SIZE rcvd: 98
Thought I would add a real world example.
Cheers,
Jeremiah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20190605/4113c85d/attachment.sig>
More information about the Flatpak
mailing list