Verification of flatpaks using GPG
Martin Sehnoutka
msehnout at redhat.com
Thu Jun 6 06:26:06 UTC 2019
On 06/06/2019 01:30, Daniel Kasak wrote:
> On Wed, Jun 5, 2019 at 10:36 PM Martin Sehnoutka <msehnout at redhat.com>
> wrote:
>
>> So the author of the flatpakrepo file must be in charge of the DNS
>> server responsible for the mailserver domain. e.g. for Fedora signing
>> keys this key:
>> fedora-29 at fedoraproject.org
>> maps to this domain:
>> 557d8ff0f0f4c6c9fc7140670cc85400dcee5aeb1ac2412e90f41e45._
>> openpgpkey.fedoraproject.org
>>
>> and you can get the key like this:
>> $ dig <the-domain-from-above> OPENPGPKEY
>>
>> Of course it could be a problem for an individual who uses email from
>> Gmail or similar server.
>>
>> I hope this answers the questions above.
>>
>
> Ah. This partially answers some questions I had about gpg-signing. I'm
> using a dyn dns account to host our repo, and I don't host my own email (
> any more ). Does that mean there is *no* way for me to produce a gpg-signed
> repo ( that clients can install / update without being root )?
You can produce a repository with signed content as usual. This
extension is about verification of the GPG key itself, not the repository.
Does that answer your question?
>
> Dan
>
--
Martin Sehnoutka
Software Engineer
Red Hat
More information about the Flatpak
mailing list