Mozilla, for example, would sign Firefox’s flatpak with a PGP key that they would disclose on their website. You verify the signature using the RSA algorithm (or any other algorithm for digital signatures. There are a bunch.) Or, you could just trust that your connection wasn’t tampered the first time, then you would have the public key, and it would verify each time that the package came from that same person. Currently, you have to trust every time that your connection isn’t tampered.
Major flatpak providers (Flathub at the very least) would include their PGP public key in the flatpak software repo, and operating system vendors would distribute that key in the flatpak infrastructure for their operating system, which itself is signed by the operating system’s key.
Best to do both, really, so a record of using a consistent public key is created.
Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can’t get to the signing key you’ve prevented the attack.
Mozilla, for example, would sign Firefox’s flatpak with a PGP key that they would disclose on their website. You verify the signature using the RSA algorithm (or any other algorithm for digital signatures. There are a bunch.) Or, you could just trust that your connection wasn’t tampered the first time, then you would have the public key, and it would verify each time that the package came from that same person. Currently, you have to trust every time that your connection isn’t tampered.
Major flatpak providers (Flathub at the very least) would include their PGP public key in the flatpak software repo, and operating system vendors would distribute that key in the flatpak infrastructure for their operating system, which itself is signed by the operating system’s key.
Wouldn’t it make more sense then for them to simply host the Flatpak themselves? I kind of thought that was the whole idea of Flatpak.
Best to do both, really, so a record of using a consistent public key is created.
Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can’t get to the signing key you’ve prevented the attack.