Feature request: Verify upstream GPG signature #29
Labels
enhancement
New feature or request
Comments
|
Actually, doing this is a bit more complex than I thought so I posted a forum thread here with some suggestions. |
|
Hi - this isn't really relevant anymore, since we're building the application from source, so you're able to check exactly what's being built. Closing for now, thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Looking at the
Snapcraft.yamlfile, it doesn't look like there's any verification going on here for the fetched.debfile. For a security-focused application (or really any application) I think it would be a good idea if we verify the deb package as it gets pulled into the Snap build.Does it make sense to include a
gpg --verifystep in theoverride-build:section?Signing keys: https://updates.signal.org/desktop/apt/keys.asc
The text was updated successfully, but these errors were encountered: