• JustAnotherRando@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    5 months ago

    Is the token not keyed to a specific source? I would have expected it to operate similarly to an SSL cert, where part of the verification process is that the source is the correct origin that the token belongs to - so if someone just lifted a valid cert to put into a malicious one, it would catch anything from changing a single character in the project name to changing the repository host (i.e. GitHub to GitLab)

    • biribiri11@lemmy.ml
      link
      fedilink
      arrow-up
      8
      ·
      5 months ago

      Afaik yes, the token is keyed to a specific source in the case of verifying through a website, but from what I can tell, that doesn’t stop someone else from creating a separate malicious website (or git repo) that looks similar but contains malware, and publishing that as a verified app with a similar name as the real app to flathub (so there would be multiple versions of an app, with only 1 being the “real” one on flathub).