• AProfessional@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            There is no such thing as a “package”. It is a repository of binary data with references to data in it (ala git). The whole repo and all data is gpg signed.

            • delirious_owl
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              9 months ago

              Your claim that package payloads are signed is bullshit. Back it up by citing your sources

              • AProfessional@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago
                > ostree show flathub:runtime/org.kde.Platform/x86_64/6.6
                commit a7443e846cf67d007fcecda5c9dc27844001cfb8929064395cfc25c6d71d9474
                Parent:  23107550082daf3b2892a4a0db2543838578ca882340a756b988bc5c1614540c
                ContentChecksum:  607ba9475d32a24c51509bc7919f5a93d401f8f7198c30ad93ad74051d966c41
                Date:  2024-01-30 13:55:08 +0000
                
                    build of org.kde.Sdk, Tue Jan 30 11:23:00 UTC 2024 (5998d2f3ef21414d14f066ab91fa44e5aef65b90)
                
                    Name: org.kde.Platform
                    Arch: x86_64
                    Branch: 6.6
                    Built with: Flatpak 1.14.4
                
                Found 1 signature:
                
                  Signature made Tue 30 Jan 2024 12:21:18 PM CST using RSA key ID 562702E9E3ED7EE8
                  Good signature from "Flathub Repo Signing Key <flathub@flathub.org>"
                  Primary key ID 4184DD4D907A7CAE
                  Key expires Mon 14 Jun 2027 08:19:40 AM CDT
                  Primary key expires Mon 14 Jun 2027 08:18:56 AM CDT
                
                • delirious_owl
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  9 months ago

                  And what happens if I mitm you and you get something unsigned? Does it ignore it and proceed?

                  This is why in asking for the docs that describe the security