Appimage GPG Signature [Under investigation]

rew1redrew1red
edited August 18 in Linux Beta

Is a signature file available for Appimage releases? I've noticed all of the packaged version (Debian, etc) are signed with 3FEF9748469ADBE15DA7CA80AC2D62742012EA22, but there is currently no way to verify the integrity of the Appimage download.

I'd love to add signature checking to my PKGBUILD.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • MitchMitch

    Team Member

    Hi @rew1red,

    Thanks for your interest in packaging 1Password. You're right that the AppImage should be signed like the others; I'll see what I can do.

    There are some other issues with the AppImage, e.g. lack of an update manifest, which may make it difficult for package maintainers to work with. I'm thinking a .tar.gz might be more suitable. Hoping to look into producing one this week.

    Mitch

  • Thanks for the response! Very appreciated.

  • MikeTMikeT Agile Samurai

    Team Member
    edited August 18

    On behalf of Mitch, you're welcome.

    ref: dev/core/core#2547

  • MitchMitch

    Team Member

    Hello @rew1red. I just wanted to update you now that we are now signing the AppImage build of 1Password for Linux.

    You can download the signature by affixing .sig to the URL for the AppImage, e.g.

    Package: https://onepassword.s3.amazonaws.com/linux/appimage/1password-0.8.7-1.AppImage
    Signature: https://onepassword.s3.amazonaws.com/linux/appimage/1password-0.8.7-1.AppImage.sig

    And verify it by as you would the other packages:

    $ gpg --keyserver keyserver.ubuntu.com --recv-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
    $ gpg --verify 1password-0.8.7-1.AppImage.sig 1password-0.8.7-1.AppImage
    

    Cheers,
    Mitch

  • Thanks fantastic, thanks Mitch!

    The AUR pkgbuild has been updated the actively verify your signatures on all releases.

  • holonytholonyt
    edited September 22

    AUR build is still failing for me. Refreshed the databases. Still getting:

    ==> ERROR: One or more PGP signatures could not be verified!
    

    On Manjaro.

  • @holonyt you'll need to manually import the GPG key issued by Agilebits per their instructions. Some AUR helpers will do this for you, some won't. Try manually importing the key and then building once more:

    $ gpg --keyserver keyserver.ubuntu.com --recv-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
    
  • @rew1red That worked. Thanks so much!!!

  • BenBen AWS Team

    Team Member

    Thanks for helping out @rew1red!

    Glad to hear that worked for you @holonyt. If you have any feedback about the app we'd love to hear it. :)

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file