Update README.md

This commit is contained in:
2026-03-16 22:07:08 -07:00
parent 467d3208c8
commit bf19a32f12

View File

@@ -9,20 +9,33 @@ It aims to:
## Verifying the AppImage ## Verifying the AppImage
All AppImages in this repository are built directly from the official source code and include a signed authenticity proof to confirm they are unchanged and come from a trusted build process. All AppImages in this repository are built directly from the official source code releases and include a signed authenticity proof (manifest + GPG signature) to confirm they are unchanged and come from my trusted build process.
**EXAMPLE** ### One-time setup (do this once)
Import the builder's public key from the repository root:
```bash
wget https://git.yourittech.support/yourittech.support/appimages/raw/branch/main/builder-pubkey.asc
gpg --import builder-pubkey.asc
```
To verify a downloaded file (e.g. `Nextcloud-Talk-v2.1.1-x86_64.AppImage`): ### Verify a downloaded file (e.g. Nextcloud-Talk-v2.1.1-x86_64.AppImage)
1. Download the three files from the release: 1. Download these three files from the version folder (e.g. `/nextcloud_talk/v2.1.1/`):
- The AppImage itself - `Nextcloud-Talk-v2.1.1-x86_64.AppImage`
- `BUILD_INFO*.json` - `BUILD_INFO-Nextcloud-Talk-v2.1.1.json`
- `BUILD_INFO-Nextcloud-Talk-v2.1.1.json.asc`
2. Check file integrity 2. Check the AppImage integrity with SHA256:
```bash ```bash
sha256sum Nextcloud-Talk-v2.1.1-x86_64.AppImage sha256sum Nextcloud-Talk-v2.1.1-x86_64.AppImage
``` ```
Compare the output to the value of `appimage_sha256` inside the `BUILD_INFO-Nextcloud-Talk-v2.1.1.json` file.
3. `cat` the `BUILD_INFO*.json` and confirm the key. 3. Verify the signed manifest (confirms the SHA256 and build info come from me):
```bash
gpg --verify BUILD_INFO-Nextcloud-Talk-v2.1.1.json.asc BUILD_INFO-Nextcloud-Talk-v2.1.1.json
```
Look for:
```
gpg: Good signature from "YourITtech.support" [...]
```