News
There are now GPG signatures available for DEB and RPM packages. This should allow users to verify the origin of packages. This should also fix a warning displayed by some Linux software stores, such as KDE Discover.
Packages are signed automatically on GitHub Actions by the GPG key F17A EF1C 8C47 5B51 B5F3 03C6 912A D9BE 47FE B404, available on Ubuntu Keyserver and Packagecloud. This is a PWAsForFirefox-specific subkey of my main GPG key 7440 07D7 10DD C8E2 0673 F545 2D15 DC76 BD6B 710C, available on Ubuntu Keyserver and GitHub.
Signing for DEB packages is done using debsigs and may be verified using debsig-verify. Signing for RPM packages is done using rpm --addsign and may be verified using rpm --checksig.
Repository metadata are still be signed by packagecloud.io.
As a reminder, MSI and RPM packages are signed with a code signing certificate provided by the SignPath Foundation, and all built artifacts are attested using GitHub Artifact Attestations.
Added
- Signatures for DEB and RPM packages have been added (#645).
- Support for runtime installation on ARM has been added.
Changed
- Improved security of GitHub workflows.
- Changed GURU ebuild to use crates tarball.
- Updated translations.
- Updated dependencies.