Task #2025
open
Please sign flatpak packages
Added by A B over 8 years ago.
Updated about 8 years ago.
Description
Currently, when installing the flatpak package from https://www.libreoffice.org/download/flatpak/ , you'll be downloading an unsigned binary from a HTTP mirror of downloads.documentfoundation.org. This is insecure because it is easy to man-in-the-middle-attack.
I suggest shipping a public key in the wiki instead and adding the LibreOffice flatpak repo via command line. The package should be installed through flatpak too, so there is no error-prone download of a 150MB binary through the browser.
PS: Just in case I am reporting this at a wrong place, please feel free to move it to where it belongs.
The LibreOffice.flatpak (as well as the LO flatpak repo) is signed with the usual TDF key. If you download that key from a keyserver, you can call 'flatpak install --bundle ...' with an additional --gpg-file=... option to check the content against that key during installation. Independently, the repo information that flatpak extracts from the 'flatpak install --bundle ...' step (so you can e.g. do a 'flatpak update ...' later) contains the relevant key information, the same way as if you explicitly added the repo with 'flatpak remote-add --gpg-import=... ...'.
Stephan Bergmann wrote:
The LibreOffice.flatpak (as well as the LO flatpak repo) is signed with the usual TDF key. If you download that key from a keyserver, you can call 'flatpak install --bundle ...' with an additional --gpg-file=... option to check the content against that key during installation.
And where can I find this key file? Can you please add that to the download instructions?
By the way, why doesn't the flatpak bundle install GNOME dependencies?
A B wrote:
And where can I find this key file? Can you please add that to the download instructions?
Can somebody from Release Engineering or Infra please do that? I have no idea where or how to obtain the public key for the TDF code signing key.
By the way, why doesn't the flatpak bundle install GNOME dependencies?
Sorry, I don't understand that question. (And better take that side discussion somewhere else, <http://www.libreoffice.org/community/developers/> "Talk to developers" section has useful links; I'm sberg on IRC.)
Cloph could help here (and Mike probably update the DL page), poked
Cloph on #libreoffice-dev
Also available in: Atom
PDF