wrapper script around Flatpak is vulnerable to man-in-the-middle attacks
@smcv
Submitted by Simon McVittie Assigned to Thibault Saunier @thiblahute
Description
http://wiki.pitivi.org/wiki/Install_with_flatpak recommends running the script https://git.gnome.org/browse/pitivi/plain/build/flatpak/pitivi-flatpak. Unfortunately, that script configures Flatpak to be insecure: it uses http:
URLs to download the GNOME SDK and Pitivi, and specifically disables GPG key verification.
The script should use https:
to download the GNOME SDK and Pitivi: both https://sdk.gnome.org
and https://people.freedesktop.org
work fine. It should also download the GNOME SDK's GPG key from https://sdk.gnome.org/keys/gnome-sdk.gpg and use that to add the GNOME SDK repository, as described at http://flatpak.org/#users.
Ideally, the Pitivi repository should also be signed by a GPG key, which would be downloaded via https
by the script when the repository is first added. This would mean that none of the Flatpak invocations need to disable GPG verification.
The GPG key used to sign the repository does not need to be anyone's personal key: it can be a "role" key like the ones used for the GNOME SDK Flatpak repository, the Debian and Ubuntu apt
repositories, and other apt
repositories such as PPAs. It does not //need// to be reachable by the Web of Trust, but ideally it would also be signed by one or more well-known Pitivi developers, in the same way that the official Debian and Ubuntu apt
archive keys have signatures from prominent Debian and Ubuntu developers.
(There are many other software distribution mechanisms with a cryptographic key as a trust root, apt
just happens to be the one I'm most familiar with.)