AppImageKit icon indicating copy to clipboard operation
AppImageKit copied to clipboard

Published 20 hours ago verified publisher icon AppImage

Publish the validate tool binaries

Open azubieta opened this issue 4 years ago • 8 comments

There is a reference in the documentation to a tool called 'validate' but not links are provided provably it's because there are no binaries.

This tool seems to be important for AppImage users who want to validate their downloads, therefore it may be a good idea to publish it.

azubieta avatar Apr 19 '20 20:04 azubieta

Unfortunately the validate tool was not updated when some changes were introduced to the signing mechanism, and as a result, it is currently in a non-functional state. This is very unfortunate and any improvements would be appreciated.

cc @TheAssassin

probonopd avatar Apr 23 '20 17:04 probonopd

At this point, maybe it would be easiest to add a "validate" verb to go-appimage (it already has the code for signing).

probonopd avatar Apr 23 '20 17:04 probonopd

Indeed it would be better if it becomes part of the go-appimage. Is there any ETA for go-appimage ? I mean for it to be the default.

azubieta avatar Apr 23 '20 21:04 azubieta

Once we are reasonably confident in it...

probonopd avatar Apr 24 '20 20:04 probonopd

Hi! Do I understand correctly that currently there's no way to easily sign and validate AppImages? My use-case is pretty simple: I want to sign my published AppImages in my CI pipeline and I want to offer an easy and straightforward way for my users to verify it.

ba32107 avatar Oct 18 '20 06:10 ba32107

I think signing with https://github.com/AppImage/AppImageKit#appimagetool-usage -s works.

There is just currently no working validate binary, but tools like AppImageUpdate do verify signatures.

probonopd avatar Oct 19 '20 16:10 probonopd

Thanks - I guess it still makes sense to do the signatures, and at a later point I can include validation as well.

ba32107 avatar Oct 19 '20 19:10 ba32107

Edit: never mind, seems like installing gpg2 and using the code of the https://github.com/AppImage/AppImageKit/pull/1090 fixed it :) Edit2: i quickly packed together a docker container that validates the signatures https://github.com/Apfelwurm/appimagevalidate

Apfelwurm avatar Apr 11 '21 22:04 Apfelwurm

AppImageUpdate now provides a replacement for validate.c from this repository, implemented using the newly written validation code from its signing module. See https://github.com/AppImage/AppImageUpdate/releases/tag/continuous. This tool is significantly less error prone and eliminates the redundancy/code duplication between both repositories.

https://github.com/AppImage/AppImageUpdate/releases/tag/continuous

Note that validation here is just limited to "is this signed correctly". The tool does not provide any feedback whether updates would succeed. We could extend the tool, though, since that code can be extracted from the updater class.

TheAssassin avatar Aug 17 '22 14:08 TheAssassin