Mozilla, for example, would sign Firefox’s flatpak with a PGP key that they would disclose on their website. You verify the signature using the RSA algorithm (or any other algorithm for digital signatures. There are a bunch.) Or, you could just trust that your connection wasn’t tampered the first time, then you would have the public key, and it would verify each time that the package came from that same person. Currently, you have to trust every time that your connection isn’t tampered.
Major flatpak providers (Flathub at the very least) would include their PGP public key in the flatpak software repo, and operating system vendors would distribute that key in the flatpak infrastructure for their operating system, which itself is signed by the operating system’s key.
What would they sign it with? How do you verify the signature?
F-Droid seems to manage it just fine. It’s even got reproducible builds.
Mozilla, for example, would sign Firefox’s flatpak with a PGP key that they would disclose on their website. You verify the signature using the RSA algorithm (or any other algorithm for digital signatures. There are a bunch.) Or, you could just trust that your connection wasn’t tampered the first time, then you would have the public key, and it would verify each time that the package came from that same person. Currently, you have to trust every time that your connection isn’t tampered.
Major flatpak providers (Flathub at the very least) would include their PGP public key in the flatpak software repo, and operating system vendors would distribute that key in the flatpak infrastructure for their operating system, which itself is signed by the operating system’s key.
Wouldn’t it make more sense then for them to simply host the Flatpak themselves? I kind of thought that was the whole idea of Flatpak.
deleted by creator
deleted by creator