19
How to: Verify Github downloads?
(sopuli.xyz)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 20 Apr 2026
19 points (100.0% liked)
linux4noobs
3208 readers
21 users here now
linux4noobs
Noob Friendly, Expert Enabling
Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.
Seeking Support?
- Mention your Linux distro and relevant system details.
- Describe what you've tried so far.
- Share your solution even if you found it yourself.
- Do not delete your post. This allows other people to see possible solutions if they have a similar problem.
- Properly format any scripts, code, logs, or error messages.
- Be mindful to omit any sensitive information such as usernames, passwords, IP addresses, etc.
Community Rules
- Keep discussions respectful and amiable. This community is a space where individuals may freely inquire, exchange thoughts, express viewpoints, and extend help without encountering belittlement. We were all a noob at one point. Differing opinions and ideas is a normal part of discourse, but it must remain civil. Offenders will be warned and/or removed.
- Posts must be Linux oriented
- Spam or affiliate links will not be tolerated.
founded 2 years ago
MODERATORS
Personally I'm more against the concept of downloading random Appimages from github.
Unless you've personally gone through the repository code and know that it is clean and safe the hash tells you nothing of importance in that regard. It can be used to verify that the file is complete and didn't corrupt during the download and ensures that no MITM attack went through undetected.
Flatpaks are at least isolated and when you grab a popular package from flathub one can hope there would be an outcry if it's unsafe. AppImages per default get full access to the user /home.
You can't exactly read code and determine it's not malicious.
This is exactly why the rise of 0 width characters being used in malware is scary: Human readable source is not 1:1 with human verifiable behavior.
We've entered an arms race of "use automated tool. Review automated tools work. Used automated tool to review automated tools work. Review automated tool's automated tool's work..."
I am personally not going to start reading assembly.
Yeah, somewhere along the line you end up with a question of trust. "Do I trust the developer of this AppImage?", "Do I trust the result of this automated tool that checks the code for malware?" or "Do I trust my IDE and myself when I downloaded the source and tried to verify it in my sandboxed VM?".
My main point was that the hash doesn't really tell you anything about the source, except whether you got an exact copy of it or not.
I was not aware of that. Thank you very much for pointing out! So better download a Flatpak over an Appimage if provided.
I am currently downloading Flatpaks from Flathub as much as possible but some programs are not available on there. Or not verified and a community-maintained flatpak is just another attack surface for a MITM attack.