Add Flathub verification token

[achow101]

We publish releases on flathub. Apps published on Flathub can be verified to be published by the actual developers by placing a token on the project website. We should do this so that our releases on flathub show as verified.

[stickies-v]

How is the token ee5fdbb1-f509-427a-abf7-812f247d883b generated or verified? I can't seem to find a reference to it on https://flathub.org/apps/org.bitcoincore.bitcoin-qt

[achow101]

Unfortunately only the package admins can see it.

[laanwj]

Code review ACK

I have too little insight into flatpak's build process to Concept ACK this, as we don't build the flatpak as part of a guix build (no idea if this is even possible) i'm hestitant to call it the same diligence as our normal releases.

[achow101]

Essentially this just changes the badge on the flathub site from "Unverified" to "Verified". https://docs.flathub.org/docs/for-app-authors/verification/ is some info about verification.

The config files for doing the flatpak releases are at https://github.com/flathub/org.bitcoincore.bitcoin-qt. It essentially just wraps the published guix builds and every update does require setting the hash to the new tarball.

[laanwj]

Thanks. Okay, I see, makes sense, that it just wraps our release binary.

Showing the verified badge makes sense, could distinguish it from backdoored copies.

ACK f3ba3a5fd42c4bd338c0b87fd558dbdadf60356e

[fanquake]

This still shows as unverified: https://flathub.org/apps/org.bitcoincore.bitcoin-qt. Maybe it'll change on the next version bump.

[achow101]

Shows verified now, there was another button I needed to click.