Project

General

Profile

Task #2025

Please sign flatpak packages

Added by A B over 1 year ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Currently, when installing the flatpak package from https://www.libreoffice.org/download/flatpak/ , you'll be downloading an unsigned binary from a HTTP mirror of downloads.documentfoundation.org. This is insecure because it is easy to man-in-the-middle-attack.

I suggest shipping a public key in the wiki instead and adding the LibreOffice flatpak repo via command line. The package should be installed through flatpak too, so there is no error-prone download of a 150MB binary through the browser.

PS: Just in case I am reporting this at a wrong place, please feel free to move it to where it belongs.

History

#1 Updated by Stephan Bergmann about 1 year ago

The LibreOffice.flatpak (as well as the LO flatpak repo) is signed with the usual TDF key. If you download that key from a keyserver, you can call 'flatpak install --bundle ...' with an additional --gpg-file=... option to check the content against that key during installation. Independently, the repo information that flatpak extracts from the 'flatpak install --bundle ...' step (so you can e.g. do a 'flatpak update ...' later) contains the relevant key information, the same way as if you explicitly added the repo with 'flatpak remote-add --gpg-import=... ...'.

#2 Updated by A B about 1 year ago

Stephan Bergmann wrote:

The LibreOffice.flatpak (as well as the LO flatpak repo) is signed with the usual TDF key. If you download that key from a keyserver, you can call 'flatpak install --bundle ...' with an additional --gpg-file=... option to check the content against that key during installation.

And where can I find this key file? Can you please add that to the download instructions?

By the way, why doesn't the flatpak bundle install GNOME dependencies?

#3 Updated by Stephan Bergmann about 1 year ago

A B wrote:

And where can I find this key file? Can you please add that to the download instructions?

Can somebody from Release Engineering or Infra please do that? I have no idea where or how to obtain the public key for the TDF code signing key.

By the way, why doesn't the flatpak bundle install GNOME dependencies?

Sorry, I don't understand that question. (And better take that side discussion somewhere else, <http://www.libreoffice.org/community/developers/> "Talk to developers" section has useful links; I'm sberg on IRC.)

#4 Updated by Florian Effenberger about 1 year ago

Cloph could help here (and Mike probably update the DL page), poked
Cloph on #libreoffice-dev

Also available in: Atom PDF