Are wallets listed on distribution channels like flatpak safe?

[Forsyth Jones]

Flatpak is a distribution channel frequently used by Linux users, I preferably download apps from this package, in short, it's usually safer, as it supports installations without root privileges, this way.

However, when it comes to Bitcoin wallets, I always download them from the official website, for example: electrum.org, and install them via terminal and always check the signatures. However, as you can see in the image, electrum is available to be downloaded from Linux app store integrations, such as discover via flatpak, but both Electrum, Bitcoin Core and other wallets do not list or provide a redirect link to download the application via flathub, probably these flatpak packages are maintained by the community, but not officially endorsed or maintained by the original developers.

The great advantage of downloading apps via flatpak, snap, ppa, etc. is that I don't need to worry about updates, whenever there are updates, the system itself notifies me that updates are available and I can update in a few clicks. This practically doesn't exist in Windows, there are software that have automatic update checking, such as electrum, trezor suite, etc. but this was much worse a few years ago in windows' history, this concern doesn't exist in Linux (unless you install .deb or appimage packages, but even so, it is common for some apps to provide automatic update checking). I love Linux because of this.

The purpose of this post is: how can we be sure that these wallet apps like Electrum, Bitcoin core provided there are the same binary signed by the same project development team (hash, pgp signature) as the official website of these Apps? The same question applies to any software on any Linux distribution via Flatpak, snap, etc.

I haven't yet found reports that they are not official apps or that they are phishing apps, malware and that someone has been robbed. That's already a good sign.

Forgive me if I'm ignorant on this subject, I generally only use Linux to interact with Bitcoin.

[BitMaxz]

For me, since the official site never mentions any links from Flatpak, it is still not safe to use. Like on Electrum, they have a discussion about this under the issue tab. The link from Flatpak is not officially linked on electrum.org; it was developed or maintained by someone.
Right now it is a legit verification with Thomas V's signature, but how about in the future?

We can't be sure how safe the source is if it's not officially announced by devs, so this is not safe for me.

I got the discussion here: https://github.com/spesmilo/electrum/issues/5017
And Electrum on Flatpak was maintained by A6GibKm which is not the official developer of Electrum.

[PX-Z]

Stuffs like crypto wallets especially if open source or closed source should be downloaded from official sources instead any distribution services regardless if the platform is safe or not. There are many instances of hack for open source wallet before and people should take note about that.

[ABCbits]

Short answer: It depends.
Longer answer:
You should check whether the app on Flatpak (or any app disribution method) is actually published by developer of the app. In past, Snap was filled with many fake wallet that change how Canocical handle app on Snap[1]. I strongly recommend you to double check even when the app have verified badge[2]. In addition, you also need to trust the server used to host the app.

[1] https://arstechnica.com/information-technology/2024/03/ubuntu-will-manually-review-snap-store-after-crypto-wallet-scams/
[2] https://docs.flathub.org/docs/for-users/verification

[Mia Chloe]

~snip

Flatpak actually kinda makes app installation and updates easy but the fact is when it comes to Bitcoin wallets like Electrum or Bitcoin Core it’s way safer to stick with downloads from their official websites. Most Flatpak or Snap versions are community maintained and sometimes may not be built or signed by the original developers so you may not be able to verify them with the project’s PGP signatures.

Flatpak is fine for regular apps if you ask me but for wallets that hold your coins I prefer you use the official download and verify its signature.

[Forsyth Jones]

Short answer: It depends.
Longer answer:
You should check whether the app on Flatpak (or any app disribution method) is actually published by developer of the app. In past, Snap was filled with many fake wallet that change how Canocical handle app on Snap[1]. I strongly recommend you to double check even when the app have verified badge[2]. In addition, you also need to trust the server used to host the app.

[1] https://arstechnica.com/information-technology/2024/03/ubuntu-will-manually-review-snap-store-after-crypto-wallet-scams/
[2] https://docs.flathub.org/docs/for-users/verification

Now that you've mentioned it, I remembered the case of the phishing Exodus case, I have even started a thread about it. In any case, it's best to continue downloading from the official website and verifying the signatures.

Flatpak actually kinda makes app installation and updates easy but the fact is when it comes to Bitcoin wallets like Electrum or Bitcoin Core it’s way safer to stick with downloads from their official websites. Most Flatpak or Snap versions are community maintained and sometimes may not be built or signed by the original developers so you may not be able to verify them with the project’s PGP signatures.

Flatpak is fine for regular apps if you ask me but for wallets that hold your coins I prefer you use the official download and verify its signature.

That makes total sense, I think the same way. I admit that the ease of installing wallets with just a few clicks is tempting, although that's easy on Windows, in some cases it's not for Linux where it involves terminal. However, it's useless if there's no security.

I hope that day comes.

[Mia Chloe]

That makes total sense, I think the same way. I admit that the ease of installing wallets with just a few clicks is tempting, although that's easy on Windows, in some cases it's not for Linux where it involves terminal. However, it's useless if there's no security.
I hope that day comes.

Yes and it's part of the reasons why most people run away from Linux even if it's an open source software which ought to actually be safer than its closed source counterpart which is popularly windows. many people will prefer a fancy UI/UX  to terminals and code.

Aside from that very fee people actually verify the keys to those wallets after downloading them which is another reason why their website is usually a better choice since Risks are way lower there.

[dkbit98]

Flatpak wallet apps can often be older version compared to latest version from official wallet websites.
I would prefer installing latest AppImages, like we can see on Electrum wallet website or on Trezor Suite website.
Some Linux distros even have preinstalled wallets,so always check that first before installing new wallets.

[ABCbits]

Flatpak wallet apps can often be older version compared to latest version from official wallet websites.
I would prefer installing latest AppImages, like we can see on Electrum wallet website or on Trezor Suite website.
Some Linux distros even have preinstalled wallets,so always check that first before installing new wallets.

FWIW, i expect Bitcoin/crypto wallet on linux distro repository also outdated. My statement also applies even if you use "rolling release" distro such as Arch Linux, where it still provide Bitcoin Core 28.0[1].

[1] https://archlinux.org/packages/extra/x86_64/bitcoin/

[Forsyth Jones]

FWIW, i expect Bitcoin/crypto wallet on linux distro repository also outdated. My statement also applies even if you use "rolling release" distro such as Arch Linux, where it still provide Bitcoin Core 28.0[1].

[1] https://archlinux.org/packages/extra/x86_64/bitcoin/

This is another problem, but my distro (Kubuntu) displays the latest version (only the Flatpak version).

For Flatpak: v30.0
For Snap: 29.0

Short answer: It depends.
Longer answer:
You should check whether the app on Flatpak (or any app disribution method) is actually published by developer of the app. In past, Snap was filled with many fake wallet that change how Canocical handle app on Snap[1]. I strongly recommend you to double check even when the app have verified badge[2]. In addition, you also need to trust the server used to host the app.

[1] https://arstechnica.com/information-technology/2024/03/ubuntu-will-manually-review-snap-store-after-crypto-wallet-scams/
[2] https://docs.flathub.org/docs/for-users/verification

For a long time I've only downloaded Bitcoin Core via the .tgz package (Linux), it's easier to verify. Before I downloaded via PPA from the bitcoincore website, but it's only available via SNAP now.

Some Linux distros show whether the Snap or Flatpak package has been verified by the distro; I think I haven't seen this in Ubuntu/Kubuntu etc.

A good alternative would be for these repositories to also make the .deb and .appimage files available. This way, we could verify the binary in the same way we do when downloading from the official website. If the binary is signed with the same pgp key, then we know the package is legitimate.

[ABCbits]

FWIW, i expect Bitcoin/crypto wallet on linux distro repository also outdated. My statement also applies even if you use "rolling release" distro such as Arch Linux, where it still provide Bitcoin Core 28.0[1].

[1] https://archlinux.org/packages/extra/x86_64/bitcoin/

This is another problem, but my distro (Kubuntu) displays the latest version (only the Flatpak version).

For Flatpak: v30.0
For Snap: 29.0

Flatpak and Snap across many linux distro usually use same default source/server. Flathub (for Flatpak) and Snap Store (for Snap).

--snip--
A good alternative would be for these repositories to also make the .deb and .appimage files available. This way, we could verify the binary in the same way we do when downloading from the official website. If the binary is signed with the same pgp key, then we know the package is legitimate.

Snap and Flatpak have it's own packaging and runtime system. So i don't think they can just provide .deb or .appimage.

[Cricktor]

I would only trust a flatpak, snap, deb or rpm package when it came from the wallet devs themselves and has been signed with their GPG key (or similar verifiable and secured signatures/checksums).

Community packages (of wallets) might be OK now, after you verified them (question remains how easy this actually is), but there's the attack vector that this could change in the future without your notice. If some individual maintains a wallet flatpak (or similar other automatically updated package formats), you trust their ability to secure their Flathub account and have a secure packaging environment and are not compromised otherwise. How are you sure this individual earned such a trust level?

It feels quite reckless to me to use non-original dev's packages of wallets or other software on devices that operate crypto wallets when you can't easily verify their integrity.

[AakZaki]

This is what I fear most when downloading a wallet, because it involves the security of my assets. I never use anything from third parties except the original source.
For the sake of caution, I always take this into consideration because a wallet is closely tied to private keys, can access the internet, frequently receives updates and can even become a target for hackers. This combination is what makes me always careful when downloading a wallet that will be used longterm.

[Cricktor]

I wouldn't put longterm storage and a hot, means online, software-only wallet into the same bucket. This is in my opinion clearly the wrong approach.

Use a decent hardware wallet or a persistantly offline cold wallet setup to protect your private keys. Always, without any exception, check every detail of a transaction before you sign it to be broadcasted.

[NotATether]

No wallet anywhere is safe to use except for the ones which are open-source, have a link to their repository, and have some sort of GPG or checksum of the flatpak or other binary/archive that you can verify to see that the code is actually from the authors.

Even that is not going to stop you from falling for random clone wallets laced with phishing code, so it's best that you don't use any software that you don't recognize.