Flatpak: Cannot install things from system-level gpg-unsecured repos

Created on 14 Sep 2017  路  5Comments  路  Source: flatpak/flatpak 
$ flatpak version
Flatpak 0.9.12

$ flatpak remote-add --no-gpg-verify test_staging https://foo/bar

$ flatpak install test_staging com.foo.apps.Platform/x86_64/1
Installing: com.foo.apps.Platform/x86_64/1 from test_staging
error: Can't pull from untrusted non-gpg verified remote
picture sgnn7

Most helpful comment

You can, but only with sudo.

picture alexlarsson on 14 Sep 2017
🎉1 👍1

All 5 comments

You can, but only with sudo.

alexlarsson picture alexlarsson on 14 Sep 2017
🎉1 👍1

i.e. sudo flatpak install test_staging com.foo.apps.Platform/x86_64/1 should work.

alexlarsson picture alexlarsson on 14 Sep 2017

@alexlarsson Hmm.. fair enough but why does adding a remote pops up the sudo dialog box but this doesn't then? At the very least (imo) the error is misleading.

sgnn7 picture sgnn7 on 14 Sep 2017

We use policy-kit to allow the sysadmin the possibility to install from a pre-defined remote while authenticating as the user, not root. However, we really can only do this safely if there is some way to guarantee that the data the user feeds to the system is actually from said remore. If there is no gpg signatures then the user could download whatever he wants and claim they were from that remote.

When you sudo though, the actual download happens as root, and we're to some degree certain that things are from that remote.

alexlarsson picture alexlarsson on 18 Sep 2017

Could the error message be changed to give a hint that one needs to run the command as root?

Alexander-Wilms picture Alexander-Wilms on 31 Aug 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  路  4Comments
alex285 picture alex285  路  4Comments
peteruithoven picture peteruithoven  路  3Comments
soredake picture soredake  路  3Comments
LaurentBonnaud picture LaurentBonnaud  路  6Comments