Webcord RPM package cannot be installed because headers are not signed.

[RiQuY]

Acknowledgements

• [X] I have checked that there is no other issue describing the same or similar problem that I currently have, regardless if it has been closed or open.

• [ ] This bug affects Discord website.

• [x] This issue is confirmed to be reproducible when WebCord is packaged on at least all three latest supported Electron major releases.

• [ ] This issue is reproducible in Chrome, Chromium or any Chromium-based browser, e.g Brave or Edge (please write in Additional Context which browser you have used if it is neither Chrome nor unmodified Chromium).

• [x] There are no fixes done to master which resolves this issue.

• [ ] My issue describes one of the unstable and/or not fully implemented features.

• [ ] I have found a workaround to mitigate or temporarily fix this issue in affected releases (please write it in Additional context section below).

Operating System / Platform

🐧️ Linux

Operating system architecture

x64 (64-bit Intel/AMD)

Electron version

None

Application version

v4.8.0

Bug description

The RPM package for x68_64 cannot be installed because it is unsigned.

When trying to install Webcord, the package manager returns this error:

Error: 3:webcord-4.8.0-1.x86_64 (file-aeb66dd3): Error de verificación de firma [6-El fichero no está firmado]
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK
    ¡Cabecera del paquete sin firmar!

Sorry about the log in spanish, that means the package header needs to signed with GPG to be able install it. I'm not 100% sure but I think the following link contains how to fix this: https://www.redhat.com/sysadmin/rpm-gpg-verify-packages.

Thanks.

Additional context

System info

OS: openSUSE Tumbleweed x86_64 Kernel: 6.7.6-1-default Resolution: 2560x1440 DE: Hyprland CPU: AMD Ryzen 7 1700X (16) @ 3.400GHz GPU: AMD ATI Radeon RX 5600 OEM/5600 XT / 5700/5700 XT Memory: 3900MiB / 32016MiB

[SpacingBat3]

Right now, none of the builds are signed. This is mostly there's no integrated way in the Forge to sign (most) Linux distributables. And I'm not going to buy and keep renewing any certificate for Windows and macOS when I make $0 of monthly income from WebCord as of itself (some people donate me money to support me as a dev, but I consider this money as a way of supporting me, to help me reach a goal of giving more of my time to FOSS development than consider working on proprietary code only just so I don't die poor).

As of macOS I've also heard of a way to get cert that can be used for non-profit purposes (as non-profit org or party I guess), so that could be it, but again I still have no Apple hardware and installing macOS outside of it (hackintosh, emulators etc.) feels like to be in gray zone when it comes to the legality. Consider even Microsoft providing free builds of Windows just made for the developers to test their applications in their OS on a VM. This is just how Apple is unfriendly towards the developers that are the userbase of another OSes, they want from devs to buy their hardware and stuff just to have some dev env for it.

As of Linux, before I sign stuff, I need to learn how to do it first - most packages are signed with GPG for sure, but again there might be some required toolkits to embed the signature within the package. I might also need to do this as a Forge process, since Forge immediately publishes the packages to GitHub after creating them during the release process. So yes, signing there isn't that much straightforward when makers (in your scenario, @electron-forge/maker-rpm) don't integrate it (and they possibly should doing so). So while signing all current Linux packages that are published at GitHub Releases is a long term goal, for sure I won't achieve it soon. It might also be outside of the WebCord's scope to implement it in some scenarios.

I guess you might need to tinker with your distro and disable it as a workaround? I see reasons at enforcing package signing, for sure it's useful especially when installing stuff from repos since you usually don't verify the contents of each of the packages manually there in any way. For now I'll flag this as wontfix, although I plan to take on it some day, maybe not directly within the WebCord, I think I might implement it more within the Forge, either by contributing to their code or making my own plugin and implementing signing for the makers I maintain (e.g. AppImages).

[RiQuY]

A workaround is installing from terminal with these parameters (at least on openSUSE), until a signed package is provided:

sudo zypper --no-gpg-checks install webcord-4.8.0-1.x86_64.rpm