Skip to content

PopTracker/type2-runtime

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

340 Commits
.github
.github
 
 
patches/libfuse
patches/libfuse
 
 
scripts
scripts
 
 
src/runtime
src/runtime
 
 
.gitignore
.gitignore
 
 
BUILD.md
BUILD.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Vagrantfile
Vagrantfile
 
 
signing-pubkey.asc
signing-pubkey.asc
 
 

Repository files navigation

type2-runtime rehost

This repository is currently rehosting the releases from AppImage/type2-runtime to allow reproducible builds, provide some level of traceability and mitigate potential supply chain attacks.

The original release artifacts are signed in CI by AppImage/type2-runtime and releases are automated.

How a rehost release is created:

  • Check code changes.
  • Compare action artifacts to release artifacts (currently done by hand).
  • Check that all upstream commits and no extra commits are merged here to retain the actual source.
  • The rehost action is started by pushing a tag, checks the signature and uses actions/attest.

The attestation can be checked and reviewed using Actions -> Attestations, gh attestation verify, rekor search with the hash and/or cosign verify-blob with --bundle, --certificate-identity and --certificate-oidc-issuer https://token.actions.githubusercontent.com

Note that this only attests when and how it was downloaded, not what went into it. The runtime build itself is not fully reproducible.

The signature can be checked using GnuPG and the upstream pubkey.

Once validated, you can simply use the tag and check the SHA256 to verify the download.

Using immutable releases is on the roadmap.

Original README follows:

type2-runtime

The runtime is the executable part of every AppImage. It mounts the payload via FUSE and executes the entrypoint.

This repository builds a statically linked runtime for type-2 AppImages in a Alpine Linux chroot with musl libc.

Since the runtime is linked statically, libfuse2 is no longer required on the target system.

Notes for users

As an AppImage user, you do not need this repository, as the AppImage runtime is embedded into every AppImage.

Notes for developers

Please note: This repository is meant to be extremely simple.

  • Do NOT add additional external dependencies or files. Everything shall be implemented in one file. runtime.c
  • Do NOT add a complicated "build system" (like autotools, CMake,...) other than the existing simple Makefile and bash

Binaries are provided on GitHub Releases.

Please see BUILD.md if you want to build the runtime yourself.

Signing

Release builds are signed automatically using GnuPG. The corresponding public key can be found in the file signing-pubkey.asc.

About

The runtime is the executable part of every AppImage. It mounts the payload via FUSE and executes the entrypoint.

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

type2-runtime r-2025-11-07 Latest
Nov 8, 2025
+ 1 release

Packages

 
 
 

Contributors

Languages

  • C 83.7%
  • Shell 12.8%
  • Linker Script 2.2%
  • Other 1.3%