Closed achow101 closed 2 months ago
How is the token ee5fdbb1-f509-427a-abf7-812f247d883b
generated or verified? I can't seem to find a reference to it on https://flathub.org/apps/org.bitcoincore.bitcoin-qt
Unfortunately only the package admins can see it.
Code review ACK
I have too little insight into flatpak's build process to Concept ACK this, as we don't build the flatpak as part of a guix build (no idea if this is even possible) i'm hestitant to call it the same diligence as our normal releases.
Essentially this just changes the badge on the flathub site from "Unverified" to "Verified". https://docs.flathub.org/docs/for-app-authors/verification/ is some info about verification.
The config files for doing the flatpak releases are at https://github.com/flathub/org.bitcoincore.bitcoin-qt. It essentially just wraps the published guix builds and every update does require setting the hash to the new tarball.
Thanks. Okay, I see, makes sense, that it just wraps our release binary.
Showing the verified badge makes sense, could distinguish it from backdoored copies.
ACK f3ba3a5fd42c4bd338c0b87fd558dbdadf60356e
This still shows as unverified: https://flathub.org/apps/org.bitcoincore.bitcoin-qt. Maybe it'll change on the next version bump.
Shows verified now, there was another button I needed to click.
We publish releases on flathub. Apps published on Flathub can be verified to be published by the actual developers by placing a token on the project website. We should do this so that our releases on flathub show as verified.
Closes: https://github.com/flathub/org.bitcoincore.bitcoin-qt/issues/26.