Sign Linux builds

[pierremtb]

Follow up from #231

https://tauri.app/v1/guides/distribution/sign-linux

[pierremtb]

Early research: was able to sign an appimage manually, see logs below.

The tauri docs are very loosely written, as the env variables at https://tauri.app/v1/guides/distribution/sign-linux#signing-for-appimages don't have any impact, except APPIMAGETOOL_SIGN_PASSPHRASE

So in order to get this to work, we need to add an extra call to appimagetool-x86_64.AppImage, pointing to the temporary .AppDir at src-tauri/target/release/bundle/appimage/kittycad-modeling-app.AppDir/, with the right keys, which will produce a new signed AppImage.

TL;DR: signing is feasible without much effort for the AppImage bundle type, and we need:

1. the key I used added as Repo Secrets
2. a PR adding the key and running the extra commands if platform == ubuntu at the end of build-apps

@pierremtb ➜ /workspaces/modeling-app (pierremtb/issue300) $ ./appimagetool-x86_64.AppImage --sign src-tauri/target/release/bundle/appimage/kittycad-modeling-app.AppDir/ --sign-key 538D9DAE311D5368
appimagetool, continuous build (commit 5735cc5), build <local dev build> built on 2023-03-08 22:52:04 UTC
WARNING: appstreamcli command is missing, please install it if you want to use AppStream metadata
Using architecture x86_64
/workspaces/modeling-app/src-tauri/target/release/bundle/appimage/kittycad-modeling-app.AppDir should be packaged as kittycad-modeling-app-x86_64.AppImage
WARNING: AppStream upstream metadata is missing, please consider creating it
         in usr/share/metainfo/kittycad-modeling-app.appdata.xml
         Please see https://www.freedesktop.org/software/appstream/docs/chap-Quickstart.html#sect-Quickstart-DesktopApps
         for more information or use the generator at http://output.jsbin.com/qoqukof.
Generating squashfs...
Parallel mksquashfs: Using 2 processors
Creating 4.0 filesystem on kittycad-modeling-app-x86_64.AppImage, block size 131072.
...
Unrecognised xattr prefix system.posix_acl_default
[=======================================================================================================-] 1941/1941 100%

Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments,
        compressed xattrs, compressed ids
        duplicates are removed
Filesystem size 76464.57 Kbytes (74.67 Mbytes)
        33.71% of uncompressed filesystem size (226821.93 Kbytes)
Inode table size 8174 bytes (7.98 Kbytes)
        42.29% of uncompressed inode table size (19328 bytes)
Directory table size 3720 bytes (3.63 Kbytes)
        41.25% of uncompressed directory table size (9019 bytes)
Number of duplicate files found 23
Number of inodes 322
Number of files 231
Number of fragments 34
Number of symbolic links  34
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 57
Number of ids (unique uids + gids) 1
Number of uids 1
        root (0)
Number of gids 1
        root (0)
Embedding ELF...
Marking the AppImage as executable...
Embedding MD5 digest
[sign] signing requested
[sign] found gpgme version 1.17.1
[sign] found gcrypt version 1.10.1
[sign] calculated digest: 1b81bb0a7cad4a2f1c28f87def14b6c2c07e645aa5fec923bcb63ebec2228162
[sign] using engine OpenPGP (found in /usr/bin/gpg), version 2.2.19, gpgme requires at least version 1.4.0
[sign] using key with fingerprint 4ECB2E04209F993BF8E74C60538D9DAE311D5368, issuer name Pierre Jacquier
[sign] signed using pubkey algo RSA, hash algo SHA512, key fingerprint 4ECB2E04209F993BF8E74C60538D9DAE311D5368
[sign] embedding signature in AppImage
[sign] embedding key in AppImage
Success

Please consider submitting your AppImage to AppImageHub, the crowd-sourced
central directory of available AppImages, by opening a pull request
at https://github.com/AppImage/appimage.github.io

@pierremtb ➜ /workspaces/modeling-app (pierremtb/issue300) $ ./kittycad-modeling-app-x86_64.AppImage --appimage-signature
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEETssuBCCfmTv450xgU42drjEdU2gFAmTjllQACgkQU42drjEd
U2ilsQv+KjOBTndTLMm0aKw40gMe02Rp+4hNwu+XVNIqM4CiJByoOhj39vN5+SZP
rOWJzAcF1VY0iW6jWsf23GaQAFigeeM+1DUJzx75nMFYokxbHYXcTR9aS8a8vWR3
XC2aJ5xyN7HkpoIfaFsfRSso8de01EAWioppTbecZcDua4q801O+yTjjEhCghMm3
SQFykVJypr2gUmroAdcNrGvLWk84W6fNZUcqpP1ZXVIXh2oS0E5o/fyF58h2jPeV
KhE1BNnT7wL0yyIPbmauMtiTiTkZhKwqPsgNTRk9OtUizkJWfB9YS0JU/3sGGhy1
CbRreh+r7qsS/cjt/f8uigD046eYb0zYpeuiUfDlmxVEwcviEBo+41PDnODFbCG9
nupcYV/Jy556cWVHYPKGk+Q9STlJBFmCUD7Pv240so594++F/qmTLee7aF2l0mbY
shR71DDEfxQ2KZOBXvl122ZXepBZJYvNnCmYbRzBGimpDNjBdIXpjWuN9JWS9aud
NAgQvAmU
=qn5L
-----END PGP SIGNATURE-----

[pierremtb]

Looks like it worked well! Downloaded the AppImage from the CI kicked at https://github.com/KittyCAD/modeling-app/commit/f49ef94775dafbd36ebfb78bd83613181719759d, and the signature made it!

$ ./kittycad-modeling-app_0.0.3_amd64.AppImage --appimage-signature
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEETssuBCCfmTv450xgU42drjEdU2gFAmTjp9YACgkQU42drjEd
U2j1Ywv+NpYKTtWkAabOKFdzDqCftF8XaoVwXEhqg3vOgMFvERAuXp0ZEsTR0Qlh
v0r+kfl/ovFe0awei/5u0q4N40W0UpiuV2/DrAzVSrMq9cTpMxqYacmWe+bUwLja
8J/7PJEN9wnZR4wzbHuMiS0CJqho669pHAm7r06LMBXPL0xS+dul58jW0Fx6V8eW
we/1udvSnfu4qSWDAmXxiX1WNUE3c3TZoudagnPX4N9UnYPZYFovOG13SBuXH9pO
6kDNbmLBabt4T0ZT1Rf2ONkbg2//9nmck0P0NziPfAkRlH+ijfbtIJ1hPoINssjo
EQpVnpUuDLAF0Z5OZd9fp6jAs0cyOln+HRzcgZe1REMzngElkqiP4QVs+09cElBx
NkeXyDhxfcsHteNwLIJ1/duMQCWDTJccasFPmKS3LxM7A6YnqCDZGGjbcoeKAEXt
RhUv99qoqX8ZVtF7aYV0xjyY7fI+KDQ1ncXgGO9Q15Se0wZzgd8LNfyxI6sX84S+
HOtuivJs
=FeBQ
-----END PGP SIGNATURE-----

[pierremtb]

I think this might not work as planned, as I'm only overriding the current to-be-release AppImage here, but not the .tar.gz meant for the update pkg, which is just an AppImage archived.

Need to either get the env vars working so that the default action builds all of it signed automatically (but they didn't last time I tried), or replace that .tar.gz as well if it's nothing but the new version archived.

[pierremtb]

Changing to low priority, since distributions don't seem to complain at all when this is missing, which is also the case of most at https://appimage.github.io

[pierremtb]

Closing now:

• AppImages don't have any automated mechanism to check the key, so having one has no benefit to the user
• that key is not a certificate, it's just something we generate so really not like macOS or Windows
• the Tauri way in the docs doesn't work so I had to manually sign the AppImage, but in order to merge this we would also have to continue down that road, and recreate a .zip plus a .zip.sig based on our manually "signed" AppImage which seems very cumbersome for no benefits atm.

I think investing in putting together an Ubuntu PPA might be more useful down the road