Implement automatic domain validation for custom (non-GitHub) reverse-domain names

[aral]

Problem

Currently, we can only manually verify that a custom reverse domain (e.g, org.small_tech. instead of com.github.small-tech) actually belongs to the person submitting an app. This, naturally, does not scale.

For previous discussion, see https://elementarycommunity.slack.com/archives/C3RE9P4F2/p1636626775257100

Proposal

For custom reverse domain names, we can ask people to add a .well-known file to their site (see RFC 5785; https://datatracker.ietf.org/doc/html/rfc5785).

We can then automatically check if it exists.

e.g., If the app’s identifier is org.small_tech.comet we send a GET request to https://small-tech.org/.well-known/elementary-appcenter/comet and accept a 200 response as domain verification.

To make it official, we can include, say, elementary-appcenter in the IANA Well-Known URIs registry (https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml) by opening an issue here: https://github.com/protocol-registries/well-known-uris/issues

If going down this route, it would probably be a good security idea to also check https://small-tech.org/.well-known/https://github.com/protocol-registries/well-known-uris/issues before the actual URL and make sure we get a 404 to ensure that the web server is not incorrectly configured to return 200 status code results for paths that should be 404 . (See protocol-registries/well-known-uris#13)

Prior Art (Optional)

None that I know of.

To be fair, I’m not entirely sure we need to check. (I mean, for example, Apple doesn’t.)

In the unlikely event that someone uses someone else’s domain as part of their identifier and we get a complaint, we could act on the infringing app at that point.

Basically, if we absolutely want to check, this is the way to do it.

But perhaps the right question to ask is: do we even need to check?

To which, I would say no.