Runtime download step does not truly validate downloaded file - 404 "Not Found" deemed success #57
Description
Using release:
/opt/mr/linuxdeploy/appimagetool-x86_64.AppImage --verbose ./squashfs-root/
appimagetool, continuous build (git version b9b26c3), build 146 built on 2024-05-19 18:33:03 UTC
I run into a situation where the download of the type2-runtime results in an 404, but AppImageTool doesn't seem to mind. What ends up happening is that instead of the runtime getting inserted at the beginning of the AppImage, the text "Not Found" is inserted (and thus the appimage isnt a valid ELF file:
Embedding ELF...
Marking the AppImage as executable...
Embedding MD5 digest
Platforms other than 32-bit/64-bit are currently not supported!Could not find section .digest_md5 in runtime
This is the verbose output of the download step:
Generating squashfs...
Downloading runtime file from https://github.com/AppImage/type2-runtime/releases/download/continuous/runtime-x86_64
libcurl's default CA certificate bundle file /etc/ssl/certs/ca-certificates.crt was found on this system
libcurl's default CA certificate bundle directory /etc/ssl/certs was found on this system
* Host github.com:443 was resolved.
* IPv6: (none)
* IPv4: 140.82.116.4
* Trying 140.82.116.4:443...
* Connected to github.com (140.82.116.4) port 443
* ALPN: curl offers h2,http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=github.com
* start date: Mar 7 00:00:00 2024 GMT
* expire date: Mar 7 23:59:59 2025 GMT
* subjectAltName: host "github.com" matched cert's "github.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo ECC Domain Validation Secure Server CA
* SSL certificate verify ok.
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://github.com/AppImage/type2-runtime/releases/download/continuous/runtime-x86_64
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: github.com]
* [HTTP/2] [1] [:path: /AppImage/type2-runtime/releases/download/continuous/runtime-x86_64]
* [HTTP/2] [1] [accept: */*]
> GET /AppImage/type2-runtime/releases/download/continuous/runtime-x86_64 HTTP/2
Host: github.com
Accept: */*
* old SSL session ID is stale, removing
< HTTP/2 404
< server: GitHub.com
< date: Thu, 01 Aug 2024 04:18:46 GMT
< content-type: text/plain; charset=utf-8
< vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
< cache-control: no-cache
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: no-referrer-when-downgrade
< content-security-policy: default-src 'none'; base-uri 'self'; connect-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self'; style-src 'unsafe-inline'
< content-length: 9
< x-github-request-id: B512:380098:27C4A27:2865ADD:66AB0CA6
<
* Connection #0 to host github.com left intact
Downloaded runtime binary of size 9
Size of the embedded runtime: 9 bytes