Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppImageUpdate*.AppImage not signed #158

Open
edmundlaugasson opened this issue Oct 24, 2020 · 6 comments
Open

AppImageUpdate*.AppImage not signed #158

edmundlaugasson opened this issue Oct 24, 2020 · 6 comments

Comments

@edmundlaugasson
Copy link

AppImageUpdate-x86_64.AppImage
image
Details:

Fetching release information for tag "continuous" from GitHub API.
Updating from GitHub Releases via ZSync
zsync2: /home/user/.local/bin/AppImageUpdate-x86_64.AppImage found, using as seed file
zsync2: Target file: /home/user/.local/bin/AppImageUpdate-x86_64.AppImage
zsync2: Reading seed file: /home/user/.local/bin/AppImageUpdate-x86_64.AppImage
zsync2: Usable data from seed files: 100,000000%
zsync2: Renaming temp file
zsync2: Fetching remaining blocks
zsync2: Verifying downloaded file
zsync2: checksum matches OK
zsync2: used 26046464 local, fetched 0

appimageupdatetool-x86_64.AppImage
image
Details:

zsync2: Target file: /home/user/.local/bin/appimageupdatetool-x86_64.AppImage
zsync2: Reading seed file: /home/user/.local/bin/appimageupdatetool-x86_64.AppImage
zsync2: Usable data from seed files: 100,000000%
zsync2: Renaming temp file
zsync2: Fetching remaining blocks
zsync2: Verifying downloaded file
zsync2: checksum matches OK
zsync2: used 3072000 local, fetched 0
@kemelzaidan
Copy link

I'm having the same problem

@Morganlej
Copy link

Yes it would look better if the tool updater was signed ;)

(Apart from that i see several of other programs shows the same problem)

@Drugoy Drugoy mentioned this issue Sep 8, 2023
Closed
@max-321
Copy link

max-321 commented Oct 25, 2023

Still not signed.

@probonopd
Copy link
Member

Pull requests are welcome. This is a community based project entirely driven by volunteers (you).

@kemelzaidan
Copy link

I believe that signing the appimage file requires getting access to the authors GPG key and making it available for downloaders to verify it, which contributors can't do, unless they have access to the private keys: https://docs.appimage.org/packaging-guide/optional/signatures.html

@axelsimon
Copy link

If this is going to use GPG, you probably needn't bother. I've heard stats such as about 2% of people verify a GPG-signed piece of software. It's far too unwieldy and you get an assurance of limited value, given most of the time you have no way of confirming that a given key corresponds to a given person.

It might be more useful to use the sigstore / cosign approach. Verifying an AppImage could then be a single step:
$ cosign verify <AppImage URI> --certificate-identity=name@example.com --certificate-oidc-issuer=https://accounts.example.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kemelzaidan @axelsimon @probonopd @Morganlej @edmundlaugasson @max-321