linuxdeployqt icon indicating copy to clipboard operation
linuxdeployqt copied to clipboard

Published 20 hours ago verified publisher icon probonopd

Automatically sign AppImages

Open do-you-dare opened this issue 5 years ago • 6 comments

It would be nice if linuxdeplyqt could sign the AppImages, as can be done with appimagetool, as discussed on https://github.com/helio-fm/helio-workstation/pull/95.

I don't know how to do it, but I could give it a try with some directions

do-you-dare avatar Nov 07 '18 03:11 do-you-dare

linuxdeplyqt internally uses appimagetool to convert AppDirs to AppImages. You can

  1. Run linuxdeplyqt -bundle-non-qt-libs on your AppDir to bundle the libraries, then
  2. Run linuxdeplyqt --appimage-extract to get appimagetool
  3. Run appimagetool -s ... on the AppDir prepared above

Does this make sense?

The proper thing to do is to implement -s in linuxdeployqt as well and pass its arguments through to appimagetool around here:

https://github.com/probonopd/linuxdeployqt/blob/8b3ded6a4ce66a88a48463caec92a7306e2d0069/tools/linuxdeployqt/shared.cpp#L1734

Do you want to make a pull request?

probonopd avatar Nov 07 '18 17:11 probonopd

Auto-signing using some key might leak information. Doing that by default is a really bad idea.

linuxdeploy's AppImage plugin provides a SIGN environment variable.

TheAssassin avatar Nov 07 '18 18:11 TheAssassin

No one said "auto".

probonopd avatar Nov 07 '18 19:11 probonopd

Your last statement implied that a bit. Anyway... just wanted to share this thought.

TheAssassin avatar Nov 07 '18 21:11 TheAssassin

I want to make a pull request! It might take some time, a week or two, maybe.

About testing, do you think adding a scenario where we generate a signed appimage and check whether it is signed is a reasonable test?

do-you-dare avatar Nov 10 '18 14:11 do-you-dare

Yes, I think that would be a reasonable test.

probonopd avatar Nov 10 '18 15:11 probonopd