Task #2025
openPlease sign flatpak packages
0%
Description
Currently, when installing the flatpak package from https://www.libreoffice.org/download/flatpak/ , you'll be downloading an unsigned binary from a HTTP mirror of downloads.documentfoundation.org. This is insecure because it is easy to man-in-the-middle-attack.
I suggest shipping a public key in the wiki instead and adding the LibreOffice flatpak repo via command line. The package should be installed through flatpak too, so there is no error-prone download of a 150MB binary through the browser.
PS: Just in case I am reporting this at a wrong place, please feel free to move it to where it belongs.
Updated by Stephan Bergmann about 8 years ago
The LibreOffice.flatpak (as well as the LO flatpak repo) is signed with the usual TDF key. If you download that key from a keyserver, you can call 'flatpak install --bundle ...' with an additional --gpg-file=... option to check the content against that key during installation. Independently, the repo information that flatpak extracts from the 'flatpak install --bundle ...' step (so you can e.g. do a 'flatpak update ...' later) contains the relevant key information, the same way as if you explicitly added the repo with 'flatpak remote-add --gpg-import=... ...'.
Updated by A B about 8 years ago
Stephan Bergmann wrote:
The LibreOffice.flatpak (as well as the LO flatpak repo) is signed with the usual TDF key. If you download that key from a keyserver, you can call 'flatpak install --bundle ...' with an additional --gpg-file=... option to check the content against that key during installation.
And where can I find this key file? Can you please add that to the download instructions?
By the way, why doesn't the flatpak bundle install GNOME dependencies?
Updated by Stephan Bergmann about 8 years ago
A B wrote:
And where can I find this key file? Can you please add that to the download instructions?
Can somebody from Release Engineering or Infra please do that? I have no idea where or how to obtain the public key for the TDF code signing key.
By the way, why doesn't the flatpak bundle install GNOME dependencies?
Sorry, I don't understand that question. (And better take that side discussion somewhere else, <http://www.libreoffice.org/community/developers/> "Talk to developers" section has useful links; I'm sberg on IRC.)
Updated by Florian Effenberger about 8 years ago
Cloph could help here (and Mike probably update the DL page), poked
Cloph on #libreoffice-dev