Release Engineering

The LibreOffice.flatpak (as well as the LO flatpak repo) is signed with the usual TDF key. If you download that key from a keyserver, you can call 'flatpak install --bundle ...' with an additional --gpg-file=... option to check the content against that key during installation. Independently, the repo information that flatpak extracts from the 'flatpak install --bundle ...' step (so you can e.g. do a 'flatpak update ...' later) contains the relevant key information, the same way as if you explicitly added the repo with 'flatpak remote-add --gpg-import=... ...'.

Stephan Bergmann wrote:

The LibreOffice.flatpak (as well as the LO flatpak repo) is signed with the usual TDF key. If you download that key from a keyserver, you can call 'flatpak install --bundle ...' with an additional --gpg-file=... option to check the content against that key during installation.

And where can I find this key file? Can you please add that to the download instructions?

By the way, why doesn't the flatpak bundle install GNOME dependencies?

A B wrote:

And where can I find this key file? Can you please add that to the download instructions?

Can somebody from Release Engineering or Infra please do that? I have no idea where or how to obtain the public key for the TDF code signing key.

By the way, why doesn't the flatpak bundle install GNOME dependencies?

Sorry, I don't understand that question. (And better take that side discussion somewhere else, <http://www.libreoffice.org/community/developers/> "Talk to developers" section has useful links; I'm sberg on IRC.)

Cloph could help here (and Mike probably update the DL page), poked
Cloph on #libreoffice-dev