I have read the Flatpak docs and GPG signing the app is mentioned during the
build process, but I would like to clarify a few security questions.
When a user downloads a Flatpak app from a remote like Flathub, which
signing keys are verified? Is there a single signing key for all Flathub
(or other remote) apps, or are the Flatpak app builders/developers in
control by signing their apps individually (and the Flatpak application
verifies the developer keys)?
In other words, if I download Brave from Flathub, can I be
cryptographically sure that it came from the Brave developers, or could
Flathub MITM the software distribution by turning into a malicious actor
or through a hacking attack?
Personally I would say that the process should include signing by the
developers so that Flathub cannot act as a malicious entity, and at the
time Flathub signs the developer keys to whitelist and reduce phishing
attacks. This would be the perfect signing infrastructure as I understand
it. Is that how it is?
Thanks for your time. If you don’t understand my question, please ask again.