"BAD signature" when validating signed AppImage

[rajivshah3]

Description

I'm trying to sign an AppImage in a Docker container (Dockerfile) by following the instructions at https://docs.appimage.org/packaging-guide/signatures.html but working around the FUSE issues. It signs successfully, but when I run the validate program it says BAD signature.

Steps to reproduce

1. Build and sign the app

docker run -it iotacafe/trinity-desktop-ci:latest /bin/bash
mkdir workdir
git clone https://github.com/iotaledger/trinity-wallet
cd trinity-wallet
yarn && yarn deps:shared && yarn deps:desktop
cd src/desktop
yarn build
yarn compile:linux
cp out/trinity-desktop-0.4.6.AppImage /app/workdir
cd /app
chmod a+x appimagetool-x86_64.AppImage
./appimagetool-x86_64.AppImage --appimage-extract
cd workdir
chmod a+x trinity-desktop-0.4.6.AppImage
./trinity-desktop-0.4.6.AppImage --appimage-extract
cd ..
./squashfs-root/AppRun ./workdir/squashfs-root ./workdir/trinity-desktop-0.4.6.AppImage --sign

Output of AppImage signing

root@1feb358c9ecc:/app# ./squashfs-root/AppRun ./workdir/squashfs-root ./workdir/trinity-desktop-0.4.6.AppImage --sign 
appimagetool, continuous build (commit ce61b83), build 2077 built on 2019-04-06 03:59:18 UTC
WARNING: appstreamcli command is missing, please install it if you want to use AppStream metadata
Using architecture x86_64
/app/workdir/squashfs-root should be packaged as ./workdir/trinity-desktop-0.4.6.AppImage
WARNING: AppStream upstream metadata is missing, please consider creating it
         in usr/share/metainfo/trinity-desktop.appdata.xml
         Please see https://www.freedesktop.org/software/appstream/docs/chap-Quickstart.html#sect-Quickstart-DesktopApps
         for more information or use the generator at http://output.jsbin.com/qoqukof.
Generating squashfs...
Parallel mksquashfs: Using 2 processors
Creating 4.0 filesystem on ./workdir/trinity-desktop-0.4.6.AppImage, block size 131072.
[=============================================================|] 1638/1638 100%

Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
    compressed data, compressed metadata, compressed fragments, compressed xattrs
    duplicates are removed
Filesystem size 70268.48 Kbytes (68.62 Mbytes)
    35.01% of uncompressed filesystem size (200722.98 Kbytes)
Inode table size 5432 bytes (5.30 Kbytes)
    58.72% of uncompressed inode table size (9251 bytes)
Directory table size 904 bytes (0.88 Kbytes)
    52.35% of uncompressed directory table size (1727 bytes)
Number of duplicate files found 0
Number of inodes 91
Number of files 79
Number of fragments 7
Number of symbolic links  2
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 10
Number of ids (unique uids + gids) 1
Number of uids 1
    root (0)
Number of gids 1
    root (0)
Embedding ELF...
Marking the AppImage as executable...
Embedding MD5 digest
gpg2 and sha256sum are installed and user requested to sign, hence signing
Success

Please consider submitting your AppImage to AppImageHub, the crowd-sourced
central directory of available AppImages, by opening a pull request
at https://github.com/AppImage/appimage.github.io

2. Validate signature

git clone https://github.com/AppImage/AppImageKit
cd AppImageKit
apt-get update
./install-build-deps.sh
./build.sh
cd build/out
./validate /app/workdir/trinity-desktop-0.4.6.AppImage

Output of signature validation

root@1feb358c9ecc:/app/AppImageKit/build/out# ./validate /app/workdir/trinity-desktop-0.4.6.AppImage
Skipping ELF section .sha256_sig with offset 176712, length 1024
d450bdb70c4f309586e45c227f467adf0ff7689ed78ea2642d9730c3257fe789
/usr/bin/gpg2 --verify /tmp/trinity-desktop-0.4.6.AppImage.sig /tmp/trinity-desktop-0.4.6.AppImage.digest
gpg: Signature made Sun Apr 14 20:23:31 2019 UTC
gpg:                using RSA key DDF6BC26B3784A376567081FFF579E869C60F611
gpg: BAD signature from "Test Test <test@example.com>" [ultimate]

I tried reproducing the issue in an Ubuntu 18 VM but the validate program wouldn't build for some reason

[probonopd]

@TheAssassin can you have a look please and see whether the signatures are still working in general?

Also, we should upload the validate tool.

[TheAssassin]

Since the validation works in AppImageUpdate... yes. I have never really looked into what that validate thing does in what way, so I can't give any guarantees. It's most likely that it's outdated, since it doesn't skip a few sections introduced to make AppImageUpdate much more efficient.

[probonopd]

Please update validate if you change stuff. I don't like that my stuff breaks when you make changes. Thanks.

[rajivshah3]

Is there a way to run the validation from AppImageUpdate by itself? I would try to fix the validate program in AppImageKit myself but my C skills aren't great 😅

[TheAssassin]

Nope, there is not. It's run only on updates.

[rajivshah3]

I see. Is there a workaround to verify it manually with gpg/gpg2 or should I wait for this to be fixed?

[TheAssassin]

You will have to wait.

[probonopd]

Possibly the reason for https://www.reddit.com/r/Electrum/comments/blmx73/electrum_334_signature_confirmation/?

You will have to wait.

For how long?

[cvarley100]

@probonopd @TheAssassin Do you guys have an ETA for this?

[TheAssassin]

No, this is the least priority issue right now to work on. I'm very short on time right now. Free software projects just can't give you any SLAs, unfortunately. This is on the TODO list.

[cvarley100]

Okay, that's understandable. I was just hoping you might have some indication of when you will take a look at it (it's somewhat of a blocker for us).

[TheAssassin]

PRs welcome, if you feel confident please feel free to apply the changes yourself (shouldn't be too hard, check out AppImageUpdate's verification code for comparison which works already).