Checksum Verification in AM 9.9.5 Lets You Spot Tampered AppImages
AM’s latest release, 9.9.5, brings an experimental feature that gives every installed AppImage a green‑check badge when its checksum matches an online .zsync or .DIGEST file. This means you can now tell at a glance if the copy of an AppImage sitting on your hard drive is exactly the one the developer shipped.
Why a Checksum Badge Matters
When you run am -l after updating, each app normally shows its version number. The new flag adds a little green tick next to that number when AM has confirmed that the binary’s SHA‑256 digest matches what the host server lists in a .zsync or .DIGEST file. It’s not just a vanity feature; it stops you from running a corrupt or tampered AppImage without noticing.
The first time you update an app with am -u, the version number will look like it has been bumped, but in reality what changes is the addition of that tick. The check runs on every install and upgrade, so a missing or mismatched checksum will be flagged immediately after the download finishes.
What Happens When It Fails
A failed verification does not automatically mean you’re looking at malware. Many legitimate AppImages simply don’t ship a .zsync file, which is why the feature only applies to packages that do have one hosted alongside them. Users in the community have reported that after a bad driver update for their graphics stack, an AppImage they had installed lost its green check because the corresponding .zsync was missing from the new release page.
The failure also acts as a polite nudge toward developers: if your AppImage shows up without a tick, it’s easy to see that you need to generate the checksum file. The feature encourages compliance with modern standards such as delta updates via .zsync, which save bandwidth by only downloading changed parts of an app.
How to Enable It
- Open a terminal and run am -u for any AppImage you want checked; this forces AM to re‑verify the checksum and apply the green tick if it passes.
- After the update finishes, list your apps with am -l; every verified app will display the tick next to its version string.
- If an app shows no tick, check whether a .zsync or .DIGEST file exists at the URL specified in its “version” metadata; if not, either wait for the developer to add it or generate one locally using the latest appimagetool.
Making Your Own AppImages Compliant
If you’re packaging an AppImage and want the green check to appear automatically, build it with the newest appimagetool. That tool will create a .zsync file that points back to the same URL as your version metadata. The repository at https://github.com/ivan-hc/AppImage-tips offers a concise walk‑through on how to generate and host those files correctly.
The bottom Line
The checksum verification in AM 9.9.5 gives you instant, visual confirmation that the AppImages you run are exactly what the developers intended—unless they forgot to ship the supporting .zsync or .DIGEST file. It’s a small addition that turns an otherwise opaque installation process into something a little more trustworthy.
Release "AM" 9.9.5 · ivan-hc/AM
Checksum on the installed programs With this release, the database has 81 new programs, and the number of unique apps has increased to 2,923 (2,505 AppImage packages and 418 programs in other porta...
