API Keys and secrets about flathub HOT 11 OPEN

The plan is to finish this in january

from flathub.

I don't think that'd make a measurable difference, but it could be a strategy to obscure if needed. @ramcq suggested:

could we provision a flathub worker gpg key, which is copied onto each worker and could decrypt stuff which you encrypt to that key? and it can be copied over to the worker from the master

Which would be a longer term solution. For now, I'll just put the key in the manifest and revoke it if there are issues.

from flathub.

We need something like this for the future FeedReader in order to build Feedly plugin. Currently, we use some env vars defined in the manifest that we replace with the ones defined on Gitlab CI.
I think the best way to resolve this is to have the possibility to define env variables in flathub.org/ and be able to use them on the manifest.

from flathub.

I'm still not sure what this accomplishes. Users will always be able to pull the key out of feedreader. So in the end this is just obfuscation to stop crawlers which can be done any way you want.

from flathub.

Well, it's the difference between leaving the door unlocked and open and having a spare key somewhere hidden in the yard.

I'm about to release a first beta of NewsFlash and was hoping this would by now be possible.
The problem with the feedly API secret is that feedly is extremely strict about handing them out. For now I am using one that could be found in the code of an old Sailfish OS application. But ideally I want to apply for a unique secret.
For FeedReader, where the secret is simply in the code, my application got denied. Granted for not specified reasons. But not leaking the secret in a too obvious way is for sure part of getting one.

So my only option if I still want to apply to get a secret is have a non working feedly backend in the flathub build.

edit: in the gitlab CI pipeline we use two environment variables that can only be accessed by members of the project. That seems to work well for us so far.

from flathub.

If you just want to stop web crawlers finding it maybe store it in the manifest encoded in like base64 and decode it as part of the build process?

from flathub.

Well once the key is in the application the user can always extract it...

The only value I can think of is as I said, avoiding scrapers on github and I don't think we need actual encryption to do that.

from flathub.

Any updates on this issue?

Maybe implement something similar to Github's ?

from flathub.

This will be mitigated, by allowing external builds.

from flathub.

I'd need this as well for Karapulse's Spotify application key.

from flathub.

in the gitlab CI pipeline we use two environment variables that can only be accessed by members of the project. That seems to work well for us so far.

The gitlab solution also takes care of censoring the secrets from the build logs, so they don't accidentally appear there.

from flathub.