Skip to content
Tauri 中文网
开发指南 参考手册 当前版本 v2.2

Linux 代码签名

本指南提供有关 Linux 软件包代码签名的信息。虽然在 Linux 上部署应用不需要工件签名,但它可用于增加对已部署应用的信任。对二进制文件进行签名允许你的终端用户验证这些文件是真实的并且未被其他不受信任的实体修改。

¥This guide provides information on code signing for Linux packages. While artifact signing is not required for your application to be deployed on Linux, it can be used to increase trust into your deployed application. Signing the binaries allows your end user to verify that these are genuine and have not been modified by another untrusted entity.

为 AppImages 签名

¥Signing for AppImages

AppImage 可以使用 gpg 或 gpg2 进行签名。

¥The AppImage can be signed using either gpg or gpg2.

先决条件

¥Prerequisites

必须准备签名密钥。可以使用以下方式生成新的:

¥A key for signing must be prepared. A new one can be generated using:

Terminal window
gpg2 --full-gen-key

有关更多信息,请参阅 gpg 或 gpg2 文档。你应格外小心,将你的私钥和公钥备份到安全的位置。

¥Please refer to the gpg or gpg2 documentation for additional information. You should take additional care to back up your private and public keys in a secure location.

签名

¥Signing

你可以通过设置以下环境变量将签名嵌入 AppImage:

¥You can embed a signature in the AppImage by setting the following environment variables:

  • SIGN:设置为 1 以签署 AppImage。

    ¥SIGN: set to 1 to sign the AppImage.

  • SIGN_KEY:可选变量,用于使用特定的 GPG 密钥 ID 进行签名。

    ¥SIGN_KEY: optional variable to use a specific GPG Key ID for signing.

  • APPIMAGETOOL_SIGN_PASSPHRASE:签名密钥密码。如果未设置,gpg 会显示一个对话框,以便你输入它。你必须在 CI/CD 平台中构建时设置此项。

    ¥APPIMAGETOOL_SIGN_PASSPHRASE: the signing key password. If unset, gpg shows a dialog so you can input it. You must set this when building in CI/CD platforms.

  • APPIMAGETOOL_FORCE_SIGN:默认情况下,即使签名失败也会生成 AppImage。要在出现错误时退出,你可以将此变量设置为 1

    ¥APPIMAGETOOL_FORCE_SIGN: by default the AppImage is generated even if signing fails. To exit on errors, you can set this variable to 1.

你可以通过运行以下命令显示嵌入在 AppImage 中的签名:

¥You can display the signature embedded in the AppImage by running the following command:

Terminal window
./src-tauri/target/release/bundle/appimage/$APPNAME_$VERSION_amd64.AppImage --appimage-signature

请注意,你需要根据你的配置将 $APPNAME 和 $VERSION 值更改为正确的值。

¥Note that you need to change the $APPNAME and $VERSION values with the correct ones based on your configuration.

:::caution 提醒

签名未经验证

¥The signature is not verified

AppImage 不验证签名,因此你不能依赖它来检查文件是否被篡改。用户必须使用 AppImage 验证工具手动验证签名。这要求你在经过身份验证的渠道(例如通过 TLS 提供服务的网站)上发布密钥 ID,以便终端用户可以查看和验证。

¥AppImage does not validate the signature, so you can’t rely on it to check whether the file has been tampered with or not. The user must manually verify the signature using the AppImage validate tool. This requires you to publish your key ID on an authenticated channel (e.g. your website served via TLS), so the end user can view and verify.

有关更多信息,请参阅 AppImage 官方文档

¥See the official AppImage documentation for additional information.

:::

验证签名

¥Validate the signature

AppImage 验证工具可从 此处 下载。选择其中一个 validate-$PLATFORM.AppImage 文件。

¥The AppImage validate tool can be downloaded from here. Select one of the validate-$PLATFORM.AppImage files.

运行以下命令以验证签名:

¥Run the following command to validate the signature:

Terminal window
chmod +x validate-$PLATFORM.AppImage
./validate-$PLATFORM.AppImage $TAURI_OUTPUT.AppImage

如果签名有效,则输出将是:

¥If the signature is valid, the output will be:

Validation result: validation successful
Signatures found with key fingerprints: $KEY_ID
====================
Validator report:
Signature checked for key with fingerprint $KEY_ID:
Validation successful

Tauri 中文网 - 粤ICP备13048890号