Does flatpak enforce cryptographic authentication and integrity validation by default for all packages? (fedora)

Question

Does the flatpak package manager in Fedora-based systems require successful cryptographic authentication and integrity validation for all packages?

I know that software downloaded with apt-get packages must be cryptographically verified because the repo's manifest files (synced with apt-get update) are cryptographically signed.

But what about flatpak?

Do Operating Systems with flatpak require valid signatures from a pinned set of keys on all packages by default?

This seems to be about flatpak with flathub. Please correct me if it's not using flathub. I asked about it here: github.com/flathub/flathub/issues/1498 which was closed unresolved (however with links to issues which are similar and still open). — mYnDstrEAm
– mYnDstrEAm, Commented Feb 3, 2022 at 23:48

Michael Altfield · Accepted Answer · 2023-06-24 18:25:36Z

No. As of 2023, flatpak does not provide cryptographic authentication on any of the packages it downloads.

This was originally submitted as a feature request in 2015, but the devs either don't understand the security risk or they don't care enough about security to implement it.

https://github.com/flatpak/flatpak-builder/issues/435

Stack Exchange Network

Does flatpak enforce cryptographic authentication and integrity validation by default for all packages? (fedora)

1 Answer 1

You must log in to answer this question.

Linked

Hot Network Questions

Does flatpak enforce cryptographic authentication and integrity validation by default for all packages? (fedora)

1 Answer 1

You must log in to answer this question.

Linked

Related

Hot Network Questions