AppImageUpdate icon indicating copy to clipboard operation
AppImageUpdate copied to clipboard
verified publisher icon AppImageCommunity

AppImageUpdate*.AppImage not signed

Open edmundlaugasson opened this issue 5 years ago • 6 comments

AppImageUpdate-x86_64.AppImage image Details:

Fetching release information for tag "continuous" from GitHub API.
Updating from GitHub Releases via ZSync
zsync2: /home/user/.local/bin/AppImageUpdate-x86_64.AppImage found, using as seed file
zsync2: Target file: /home/user/.local/bin/AppImageUpdate-x86_64.AppImage
zsync2: Reading seed file: /home/user/.local/bin/AppImageUpdate-x86_64.AppImage
zsync2: Usable data from seed files: 100,000000%
zsync2: Renaming temp file
zsync2: Fetching remaining blocks
zsync2: Verifying downloaded file
zsync2: checksum matches OK
zsync2: used 26046464 local, fetched 0

appimageupdatetool-x86_64.AppImage image Details:

zsync2: Target file: /home/user/.local/bin/appimageupdatetool-x86_64.AppImage
zsync2: Reading seed file: /home/user/.local/bin/appimageupdatetool-x86_64.AppImage
zsync2: Usable data from seed files: 100,000000%
zsync2: Renaming temp file
zsync2: Fetching remaining blocks
zsync2: Verifying downloaded file
zsync2: checksum matches OK
zsync2: used 3072000 local, fetched 0

edmundlaugasson avatar Oct 24 '20 19:10 edmundlaugasson

I'm having the same problem

kemelzaidan avatar Oct 30 '20 19:10 kemelzaidan

Yes it would look better if the tool updater was signed ;)

(Apart from that i see several of other programs shows the same problem)

Morganlej avatar Jan 04 '22 01:01 Morganlej

Still not signed.

max-321 avatar Oct 25 '23 09:10 max-321

Pull requests are welcome. This is a community based project entirely driven by volunteers (you).

probonopd avatar Oct 28 '23 09:10 probonopd

I believe that signing the appimage file requires getting access to the authors GPG key and making it available for downloaders to verify it, which contributors can't do, unless they have access to the private keys: https://docs.appimage.org/packaging-guide/optional/signatures.html

kemelzaidan avatar Oct 31 '23 15:10 kemelzaidan

If this is going to use GPG, you probably needn't bother. I've heard stats such as about 2% of people verify a GPG-signed piece of software. It's far too unwieldy and you get an assurance of limited value, given most of the time you have no way of confirming that a given key corresponds to a given person.

It might be more useful to use the sigstore / cosign approach. Verifying an AppImage could then be a single step: $ cosign verify <AppImage URI> [email protected] --certificate-oidc-issuer=https://accounts.example.com

axelsimon avatar Feb 21 '24 09:02 axelsimon