Is the Flatpak version produced securely?

lars · October 6, 2022, 10:27pm

The offered Firefox snap uses only HTTPS to secure the download of Firefox itself and its parts. At least I found this snapcraft.yaml proving it:

github.com

canonical/firefox-snap/blob/stable/snapcraft.yaml

name: firefox
version: "105.0.2-1"
summary: Mozilla Firefox web browser
description:  Firefox is a powerful, extensible web browser with support for modern web application technologies.
confinement: strict
grade: stable
base: core20
assumes:
  - snapd2.54 # for mount-control
compression: lzo

apps:
  firefox:
    command: firefox.launcher
    desktop: firefox.desktop
    extensions: [gnome-3-38]
    environment:
      DICPATH: "$SNAP_COMMON/snap-hunspell"
      GTK_USE_PORTAL: 1
      HOME: "$SNAP_USER_COMMON"

This file has been truncated. show original

Due to recent attacks against HTTPS by changing network routes and creating new trusted certificates for official domains [1], HTTPS alone is not trustworthy anymore.

Is there a check of SHA512SUMS in the official Flatpak build? I couldn’t find any build recipe for Flatpak to check. I would be grateful for any link to the official build server and build recipe. Thanks!

[1] https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600