So I run Linux for a bit now but I am still not fully confident with downloading “random” Appimages or .tar archives (I don’t even know how to run/compile the archives but that is another problem lol) from Github or something.
I try to verify the hashes or GPG signatures for all the programs but not every developer provides a latest.yml.
I revently noticed sometimes Github shows a sha256 sum next to the files in the release tab but not in every repo and is this just a second layer or is this a substitution for the latest.yml?
Is there something I am missing or should I not worry too much when using Appimages or Flatpaks because they are sandboxed anyways?
You must log in or # to comment.
Personally I’m more against the concept of downloading random Appimages from github.
Unless you’ve personally gone through the repository code and know that it is clean and safe the hash tells you nothing of importance in that regard. It can be used to verify that the file is complete and didn’t corrupt during the download and ensures that no MITM attack went through undetected.Flatpaks are at least isolated and when you grab a popular package from flathub one can hope there would be an outcry if it’s unsafe. AppImages per default get full access to the user /home.
You can’t exactly read code and determine it’s not malicious.
This is exactly why the rise of 0 width characters being used in malware is scary: Human readable source is not 1:1 with human verifiable behavior.
We’ve entered an arms race of “use automated tool. Review automated tools work. Used automated tool to review automated tools work. Review automated tool’s automated tool’s work…”
I am personally not going to start reading assembly.
Yeah, somewhere along the line you end up with a question of trust. “Do I trust the developer of this AppImage?”, “Do I trust the result of this automated tool that checks the code for malware?” or “Do I trust my IDE and myself when I downloaded the source and tried to verify it in my sandboxed VM?”.
My main point was that the hash doesn’t really tell you anything about the source, except whether you got an exact copy of it or not.
I was not aware of that. Thank you very much for pointing out! So better download a Flatpak over an Appimage if provided.
I am currently downloading Flatpaks from Flathub as much as possible but some programs are not available on there. Or not verified and a community-maintained flatpak is just another attack surface for a MITM attack.
To make binaries trusted, reproducible builds are a thing. People build the same software from source independently and get the same binaries. Then it can be said that the binaries haven’t added code missing from the source. It is a difficult goal to achieve because how many complex moving parts are needed to build modern software. Much work relies on distributions’ standardized packaging infrastructure. Read more about monthly achievements in this field: https://reproducible-builds.org/
Hash, as anamethatisnt said, is just to confirm nothing’s corrupted.
Without knowing how to read code, best you can do is check the issues section, the number of “stars” in the repo (similar to likes), if the AppImage is provided by someone other than the original author (common when the original project doesn’t include an AppImage), and other indirect signs.
If you know a bit of troubleshooting, not to be confused with knowing how to code, you could also download the AppImage to a virtual machine, cut all direct communications of the virtual machine to the internet and to the host machine, and unpack the AppImage to see if any files are amiss.
Alternatively, but that also requiring some knowledge of troubleshooting, you could ask a LLM to make an “AppImage recipe” for the program you want and it should explain step by step how to make the needed AppImage. And troubleshooting comes into play because you better check at each step if it isn’t hallucinating or linking you to shady sites (latter extremely rare in my experience but better than to trust blindly).
