• delirious_owl
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    8 months ago

    Your claim that package payloads are signed is bullshit. Back it up by citing your sources

    • AProfessional@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago
      > ostree show flathub:runtime/org.kde.Platform/x86_64/6.6
      commit a7443e846cf67d007fcecda5c9dc27844001cfb8929064395cfc25c6d71d9474
      Parent:  23107550082daf3b2892a4a0db2543838578ca882340a756b988bc5c1614540c
      ContentChecksum:  607ba9475d32a24c51509bc7919f5a93d401f8f7198c30ad93ad74051d966c41
      Date:  2024-01-30 13:55:08 +0000
      
          build of org.kde.Sdk, Tue Jan 30 11:23:00 UTC 2024 (5998d2f3ef21414d14f066ab91fa44e5aef65b90)
      
          Name: org.kde.Platform
          Arch: x86_64
          Branch: 6.6
          Built with: Flatpak 1.14.4
      
      Found 1 signature:
      
        Signature made Tue 30 Jan 2024 12:21:18 PM CST using RSA key ID 562702E9E3ED7EE8
        Good signature from "Flathub Repo Signing Key <flathub@flathub.org>"
        Primary key ID 4184DD4D907A7CAE
        Key expires Mon 14 Jun 2027 08:19:40 AM CDT
        Primary key expires Mon 14 Jun 2027 08:18:56 AM CDT
      
      • delirious_owl
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        8 months ago

        And what happens if I mitm you and you get something unsigned? Does it ignore it and proceed?

        This is why in asking for the docs that describe the security