The future of AppImage: Type 2 and new tools

Developers
3

Coming along nicely.

Have added the type 2 image format to the spec draft.

In contrast to the earlier ISO9660-based AppImage format, the new type 2 format:

  • Is not tied to any particular filesystem format (so there might be others in the future); right now my implementation uses squashfs rather than ISO9660
  • Does not use a fixed offset to determine where the filesystem image starts, but specifies that the filesystem image starts right after the end of the ELF (however long it is). This means that the runtime does not need to fit into a predetermined amount of space, which is future-proof
  • Embeds update information in an ELF section inside the AppImage rather than at a predetermined, fixed offset
  • Allows for embedding a digital signature in an ELF section inside the AppImage rather than a .asc file next to the AppImage

Along with the capabilities of the new features comes a new set of tools that will eventually replace AppImageAssistant, AppImageExtract and friends.

appimagetool right now can:

  • Generate an AppImage from an AppDir
  • Automatically detect the architecture
  • Embed update information inside the AppImage
  • Calculate the update information string for Bintray repositories
  • Sign the AppImage with GPG and embed the signature inside the AppImage

validate right now can:

  • Check the digital signature inside an AppImage to ensure that the AppImage is coming from the original author and has not been tampered with

I am considering - let me know what you think:

  • Upload to Bintray
  • Integrate validate into AppImageUpdate

Type 2 AppImages have also learned quite a few new tricks:

  • --appimage-offset: Print the byte at which the squashfs filesystem begins, for mounting with -o loop,offset=...
  • --appimage-version: Print the version (git hash) of appimagetool which was used to generate this AppImage
  • --appimage-updateinformation: Display the update information that is embedded in the AppImage
  • --appimage-signature: Display the digital signature embedded in the AppImage
  • --appimage-mount: Only mount the AppImage without executing its payload
  • --appimage-extract: Only extract the AppImage without executing its payload
  • --appimage-icon: Only extract the icon of the AppImage without executing its payload

Note that these are not set in stone yet and are subject to change.

Want to try it out?

Generate a signed AppImage:

gpg2 --full-gen-key # Generate a signing key (once)
wget https://transfer.sh/mH0jk/appimagetool
chmod a+x ./appimagetool
./appimagetool ./XChat.AppDir --sign

Read the signature:

./XChat_IRC-x86_64.AppImage --appimage-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAABCAAGBQJX6CN9AAoJENBdKWeGw9/dsvoH/RgEggMiNTwgyA4io2Dyy1j1
6U3CQST9HVmh9PjeFKZCgFCZbHvpFz9mzhLTPlOAbczBnSmmbgqROINaLW+1tqEx
stOy67D3Z1cySzRTOhSkjiUOP5unmZL6QTNPxRHmuRkyihv7YfAlkrogXQlYbZ1h
Ilt6jU1b97GSPox/EE3Z002iZGJYQ3FfjAlp9o947goY5koA5KYqyzTCvEjhTk/L
wz1mFcjEkzHt9CaHZfrZCE3QVSBTq071wzsHCFHaJswPhA6iI0psCnFY56PPResi
uljTQr3nOBaqNyUgU3y4Tbd+36cwggSaTpGAzlhgNoalIwB1ltFSdPeRPe4Q3Qc=
=MR0w
-----END PGP SIGNATURE-----

Validate the signature:

wget https://transfer.sh/UQfeE/validate
chmod a+x ./validate
./validate ./XChat_IRC-x86_64.AppImage
(...)
gpg: Signature made Sun 25 Sep 2016 10:41:24 PM CEST using RSA key ID 86C3DFDD
gpg: Good signature from "Testkey" [ultimate]

Does it work for you?

Feedback is welcome!