Verification of flatpaks using GPG
Martin Sehnoutka
msehnout at redhat.com
Thu Jun 6 06:22:30 UTC 2019
On 05/06/2019 16:50, gandersson wrote:
> Martin,
>
> I found it interesting, so I jump in...
>
> On Wed, 2019-06-05 at 13:59 +0200, Martin Sehnoutka wrote:
>
>> [...trimmed...]
>
>>>> I wrote an extension for dnf (the package manager for Fedora)
>>>> which can automatically verify the key during the import phase
>>>> and also check already imported keys from RPM database before
>>>> each transaction. I wonder if the same approach would be
>>>> applicable to flatpak or it works differently.
>>>
>>> Verify in what sense? You mean for old keys?
>>
>> During the first usage it verifies that the key is indeed the
>> one from the author. e.g. for Fedora package signing keys
>> it will check that the key is the one listed here:
>> https://getfedora.org/en/security/
>> (it will do that by other means than checking the website,
>> but the idea is the same)
>
> Why not explain what you mean by "other means"? Are there other
As explained in the email that followed: The key is stored in a DNS
server and it uses DNSSEC to verify the key.
So it uses validating resolver to download the key, validate the chain
of trust from root zone to the OPENPGPKEY RR and then it compares the
key with the one you are trying to install.
> means than to compare to something fetched from a known site,
> or to ask gpg if the key is verified (as indicated by
> existing signatures for the key, coming from other
> trusted keys?)
>
> (Feel free to just point to the code if that's easier)
Here it the PR that introduced this functionality into dnf:
https://github.com/rpm-software-management/dnf/pull/1085/files#diff-06f71b2a25d8edb54bfd9357e48d7dfeR152
Hope that answers your question :)
>
> Thanks,
> - Gunnar
>
--
Martin Sehnoutka
Software Engineer
Red Hat
More information about the Flatpak
mailing list