Skip to content

Sorting out yet another AppImage breakage. #1947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 26, 2025
+10 −26
Merged

Sorting out yet another AppImage breakage. #1947

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/linux-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ jobs:
runs-on: ubuntu-latest
container:
image: ghcr.io/grumpycoders/pcsx-redux-build:latest
options: --device /dev/fuse --cap-add SYS_ADMIN --security-opt apparmor:unconfined
env:
TEST_RESULTS: /tmp/test-results
steps:
Expand Down
13 changes: 9 additions & 4 deletions tools/build/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,17 +36,22 @@ RUN apt install -y xvfb
RUN apt install -y python3-pip python3-setuptools patchelf desktop-file-utils libgdk-pixbuf2.0-dev fakeroot strace
RUN apt install -y glibc-tools lcov
RUN apt install -y file

# AppImage dependencies
RUN apt install -y libfuse2t64
RUN apt install -y fuse

WORKDIR /tmp
RUN wget https://github.com/AppImage/AppImageKit/releases/download/continuous/appimagetool-x86_64.AppImage && \
RUN wget https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-x86_64.AppImage && \
chmod +x /tmp/appimagetool-x86_64.AppImage && \
cd /opt && /tmp/appimagetool-x86_64.AppImage --appimage-extract && \
mv squashfs-root appimage-tool.AppDir && \
ln -s /opt/appimage-tool.AppDir/AppRun /usr/bin/appimagetool && \
rm /tmp/appimagetool-x86_64.AppImage
Comment on lines +45 to 50
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Pin the download & verify checksum of appimagetool for supply-chain safety.

The build now pulls appimagetool from the continuous channel each time.
That URL always points to the latest artefact, so the resulting image is no longer reproducible and the hash is not verified.

-RUN wget https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-x86_64.AppImage && \
+RUN curl -L -o appimagetool-x86_64.AppImage \
+     https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-x86_64.AppImage && \
+     echo "SHASUM  appimagetool-x86_64.AppImage" | sha256sum -c - && \

Replace SHASUM with the published hash (or a pinned tag instead of continuous).

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In tools/build/Dockerfile around lines 44 to 49, the appimagetool is downloaded
from the continuous channel without pinning to a specific version or verifying
its checksum, which compromises build reproducibility and supply-chain security.
To fix this, replace the URL to download a specific tagged release version of
appimagetool instead of continuous, and add a step to verify the downloaded
file's checksum against the published hash before proceeding with extraction and
installation.

WORKDIR /
RUN pip3 install --break-system-packages appimage-builder pydpkg
COPY appimage-dpkg.patch /appimage-dpkg.patch
RUN patch -p 1 < appimage-dpkg.patch
RUN wget -O appimage-builder-x86_64.AppImage https://github.com/AppImageCrafters/appimage-builder/releases/download/v1.1.0/appimage-builder-1.1.0-x86_64.AppImage
RUN chmod +x appimage-builder-x86_64.AppImage
RUN mv appimage-builder-x86_64.AppImage /usr/local/bin/appimage-builder
RUN apt install -y imagemagick-6.q16 gtk-update-icon-cache appstream
RUN apt install -y squashfs-tools zip zsync

Expand Down
22 changes: 0 additions & 22 deletions tools/build/appimage-dpkg.patch
View file
Open in desktop

This file was deleted.

Loading