enable AppImage and rpm distrobutions (#6127)

2026-05-01 23:16:31 +02:00 · 2026-04-17 22:19:16 +01:00
parent 79f4748ea6
commit 3eefabd44b
7 changed files with 262 additions and 9 deletions
--- a/docs/security/VERIFYING_RELEASES.md
+++ b/docs/security/VERIFYING_RELEASES.md
@@ -0,0 +1,114 @@
+# Verifying Stirling-PDF Release Artifacts
+
+Every Linux release artifact (`.AppImage`, `.rpm`, `.deb`) is signed with the
+**Stirling-PDF release signing key**. Users are encouraged to verify downloads
+before running them, especially when obtaining Stirling-PDF from a mirror,
+redistributor, or any source other than the official
+[GitHub Releases page](https://github.com/Stirling-Tools/Stirling-PDF/releases).
+
+## Signing key
+
+| Field        | Value                                              |
+|--------------|----------------------------------------------------|
+| User ID      | `Stirling PDF Inc. <contact@stirlingpdf.com>`      |
+| Fingerprint  | `EBB9 258B FEA4 7D92 342F  00DF B8C0 96A5 9BEF 2A8B` |
+| Algorithm    | RSA-4096                                           |
+| Valid until  | 2031-04-16                                         |
+
+The public key is committed to this repository at
+[`docs/security/signing-key.pub`](signing-key.pub) and is also published on:
+
+- https://keys.openpgp.org/search?q=EBB9258BFEA47D92342F00DFB8C096A59BEF2A8B
+- https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xEBB9258BFEA47D92342F00DFB8C096A59BEF2A8B
+
+Cross-checking the fingerprint from two independent sources (the repository and
+a keyserver) is the recommended way to be sure you've obtained the genuine key.
+
+## One-time setup — import the public key
+
+```bash
+# Option 1 — from the repo over HTTPS
+curl -fsSL https://raw.githubusercontent.com/Stirling-Tools/Stirling-PDF/main/docs/security/signing-key.pub \
+  | gpg --import
+
+# Option 2 — from a keyserver
+gpg --keyserver hkps://keys.openpgp.org \
+    --recv-keys EBB9258BFEA47D92342F00DFB8C096A59BEF2A8B
+```
+
+Confirm the fingerprint matches after import:
+
+```bash
+gpg --fingerprint contact@stirlingpdf.com
+# Expected: EBB9 258B FEA4 7D92 342F  00DF B8C0 96A5 9BEF 2A8B
+```
+
+## Verifying an `.AppImage`
+
+Tauri's AppImage bundler embeds the signature inside the AppImage itself via
+`appimagetool --sign`. Extract and verify:
+
+```bash
+# --appimage-signature prints the embedded signature
+./Stirling-PDF_*.AppImage --appimage-signature > sig.asc
+./Stirling-PDF_*.AppImage --appimage-offset                  # shows the offset
+# Verify the payload signature against the key
+gpg --verify sig.asc Stirling-PDF_*.AppImage
+```
+
+A successful result looks like:
+
+```
+gpg: Good signature from "Stirling PDF Inc. <contact@stirlingpdf.com>" [ultimate]
+```
+
+## Verifying an `.rpm`
+
+RPM signatures are verified via `rpm --checksig`:
+
+```bash
+# Import the key into rpm's keyring
+sudo rpm --import docs/security/signing-key.pub   # if working from a clone
+# OR
+sudo rpm --import https://raw.githubusercontent.com/Stirling-Tools/Stirling-PDF/main/docs/security/signing-key.pub
+
+# Verify the package
+rpm --checksig Stirling-PDF-*.rpm
+# Expected output ends with: "digests signatures OK"
+```
+
+## Verifying a `.deb`
+
+Debian packages are signed with a detached `.asc` file distributed alongside
+the `.deb` on the release page:
+
+```bash
+gpg --verify Stirling-PDF-*.deb.asc Stirling-PDF-*.deb
+```
+
+## What if verification fails?
+
+A failed signature check means **do not install the file**. Possible causes:
+
+- The download was corrupted — try again from the
+  [official releases](https://github.com/Stirling-Tools/Stirling-PDF/releases).
+- You obtained the file from a malicious mirror — get it from the official
+  source.
+- The signing key has rotated — check this document on the latest `main` for
+  the current fingerprint.
+
+If none of those explain it, please open a security report at
+https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/new.
+
+## Key rotation policy
+
+The signing key expires on **2031-04-16**. We will publish a new key at least
+six months before expiry. The transition process:
+
+1. A new key is announced in release notes and this document is updated.
+2. The last few releases will be co-signed with both the old and new keys.
+3. The old key is published with a revocation notice once the transition is
+   complete.
+
+If the signing key is ever compromised, a revocation certificate will be
+published immediately to both keyservers and to this document.
--- a/docs/security/signing-key.pub
+++ b/docs/security/signing-key.pub
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGniEeQBEADHiXeQS+OD8Tzm9RoFEZZE09yD/9GTMXZh3YZuOQTHXoEYHmQE
+mdytue4LdyKQtWxn6DlHnB3ea724yARtRkMcleljDYC9bcAb2/Cpysf9vTI8QxFa
+Tw+T1jp/it0WC4Gsc18pfZeS+QaGwqs9MkMiy1jSnxSf3q4pncCcI+w/8ZqC7iRE
+XHoIQPJLx0poSqqa0y4hbK8rM2zms/RGmktQoVuGEVSkt2dmGDGoHpKo4sueyMtr
+qm4Qy3n7qQDT/Fl9YPgs9KYdCWJV8uET4WHPaUMz44798gip4m5RIexa7eNdIUid
+wpfGDJwd4FTZ3MndHaJ96gW1mrIp0YzCnZxTibp2Ki/BQpw6kwgfkWLa9J97ikIu
+u/4tTrZV/wUGX6nOIDsJgTdfGICjdnnt3pkp8NeBaU54NPahwlaVvp7byiehrhDe
+qyLO+rDvwnraxeHTdpF2s2Rb+/gZZJKUgRqimFah8Enh6Ntwu8J39NQK5+SLZkbG
+3g6Xlnn8T9+7if830xvbXh8CmIYdMe0SEkZQQqNi9pZzkUMf3B1gar8FoLR23/u
+eem04OLNAwQFFVkTAsmLB1uMYZuo01EsSl5dmnMF4bovJxhHp4mbZwBcpehA6b9R
+WX29aqeJYM6j/z8MBXkjmIh7Z/Ftqc+BSWz4So0goxSsqH8D4Yvhspy95wARAQAB
+tCtTdGlybGluZyBQREYgSW5jLiA8Y29udGFjdEBzdGlybGluZ3BkZi5jb20+iQJX
+BBMBCABBFiEE67kli/6kfZI0LwDfuMCWpZvvKosFAmniEeQCGwMFCQlmAYAFCwkI
+BwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQuMCWpZvvKosUXQ/9F6PeGwB7qNkC
+22rBel7QjzF0XJVYPboLdqXKZGN4Nr1Mr57aHfETNfnDxfxG7ClEAfGuOR7McSG7
+ewPDdd4f0qCbQWkqUXOnmtb9+2ljiRHGtEg3gWUoCfIDxORaMluWO++z4VmKRS2L
+Ech761cU3acgDePkHfIg62/agNlhFgrE5QRnUznyf8OKAJbcl3vlyBC9eXZ+9Atg
+7FAXfohOBdn9J5i3v+AmnAJSoDfjNYseaJqCouhdPM1uNoSq798JnE3X+j2Pt/AY
+2Nlz1ZdREgiHGL0zA4/ILEchv+Ypl/gtNsArsbJJdMST5conihc2L7bcJ7FJzd71
+xFczvUyhPTrPJcaryFYvR559xIDtJ5ucz6C63DAL32kmE4fnUd2UE+/pwx7pkEit
+sqTq/fSZNALyq0W5IL6jgEzdC2yUodHytULk3JSS7RQakkkVHrhkJrm5UnOYXTkD
+62k4tpDIBtuZ6NyD+X4PD2XBUdsdu42OetKrr7tIN/ZktfV1C5BY8+Jr4ZQSxXG5
+8Qwjfcytem4rhuumfS0pqaJ91PUNDxVTyKEBsa8a/gkLelkapnvDMU9DyND75UBw
+Y81ptA2Q5u4nODJ1ow8R/6GiolC9/0mNQPHZatdI0uoC7fRUMybEvrcSl+D1YpgC
+uuEh1VurvrV0J6VdwncFYrjZiwxo0A25Ag0EaeIR5AEQANFuE3C5iq6GWZ7rWnz6
+IORKb+aK7p/ifES4TXq3GVgWGslcPpnChlcfuMLo91QySRNrgnT5qkRg70JvtVil
+y8hOx4rcfEEK/lKDIBmu6/9DdQhegxmjP+myXYqpMzE5l+t5wWDKWK4e2b0SluRM
+x3sb0rp7mM0KM/VmMCDrDCd3zWE8Z/r40Oc/6pKJ7FmorZmU8OyLQAIiXhnANPW7
+nAUEvtjS57ctIBK58UQVfLasoKMe3JIjRU67sVGV6pdQS9b+1wv8cFIAjUdlWmem
+gYy8YZP2XS1kgq6WsNYE0noxs1UafJ+r1IbNs9czT3S2Uu6hjIukKWyb1CjehOlj
+HbS9WRfNyeAVz3R7HUfKukFF1a58DPe0shxdSr9xqths5337Nx+M9nVQwSSQeALl
+95F2o1dokZc/Wzk83T4K89zGlpZYdehTObdPlaLH8b/p7UH47gjH3naEHpp0vQAE
+w/7VkYp0Pqo9YtST8Xom05R/kDrUdNYjJHdEMSKRKh+yw9N+cyMX3yQjJFf+tUzW
+d3tpdXQx9DeQR6I8os9uvoSYtg9GHaWHHxkn64y6Y6TjMF9RT//lifRxyt6dGyVW
+ROkzzojqfXUTONdzO4SSNvXhD9EDx9MVnCG44WXuMf4VMj+cTQKmguENiur/Xh4k
+Uq3B9NtpB+fzSX1WRqEVTTQHABEBAAGJAjwEGAEIACYWIQTruSWL/qR9kjQvAN+4
+wJalm+8qiwUCaeIR5AIbDAUJCWYBgAAKCRC4wJalm+8qixuuD/9uGhTTLxL7CiIh
+D9QzkPQzo7qRl1+ca1DpM6cF+N26gHyy03AELm6HuacCDGt3+ZtpF8ADFTwQzkVq
+Y1UGkd1mSxKank3uATEv7bksHkZE6pKk2RGK7JtMGmdoaUOs5BXGFRgE3ntRYM+4
+rXGld+gQpxCw5URFwD6+vaByNcxgSGCLMxWCvbAargWTqHuVoFUwbd6LV8qp/DCR
+8W1HzlDoHqOyZZpYAHiyRKhlrElImE2Bxn99z5oE3beNw5kd5D87P4oSRkrlz+Kj
+OSqJPWTh5gNE0z3JPsQDCNpmEuifZbJc0SF6QLg8/oYabZiM34YFMqMtsc4t4vtH
+bAtUPWZoPiW0YAM90caoGQcU7kaA7Jn38QwMZ8FDv9OWMO6LQDHIY6CzXxRgakoy
+OPkn/iTwCecrdqHlBtc2hINSguPw6JO35O08BmOYLe/lFTf5EWcGZFCVG5raos+2
+AZry7VjhGMmFONteuLyZ94Istse122L158M10V63S7SCFzPEAZw0mhHMOULfXt/Z
+wk1Czlo6J78TsEevILG0Ft4a7hyAUiPIigZ/LqZRH2Skrk4pVVP5rFlwmITQg7dG
+NldnyvBgL4CX72XIc6BumY9k3eiFzM++XuQ9Z/NkSjYkynGyjMD0FjlGQj6xHdr4
+0546Zz4onsw5L5I/NzcaG5HK1YNUNA==
+=vzHS
+-----END PGP PUBLIC KEY BLOCK-----