Trust: publishers, rotation & revocation

Apptrope runs real code on your machine, so it treats the first run from any new source as a decision you should get to make. This page walks through that decision, the Confirm before running dialog, and then through the Publishers panel, where you manage your own signing identity, the publishers you’ve chosen to trust, key rotation, and revocation. The model is trust on first use (TOFU). You’re prompted once for a source you haven’t seen, and once you pin a publisher’s key, their signed apps launch quietly from then on.

Trust on first use

The first time you run an app from a source Apptrope hasn’t run before, you’ll see the Confirm before running dialog. It’s a checkpoint, not an error. Nothing has run yet.

The Confirm before running dialog: a red “This will download and run code from this source” warning, an integrity note, a “Signed by (name)” line with a Trust this publisher button, the app’s Kind, Resolved ref and Dependency method, a Remember this source checkbox, and Cancel / Run buttons.

The consent dialog surfaces exactly who signed the app and confirms its integrity before a single line runs.

What the dialog tells you:

  • The warning. “This will download and run code from this source.” This is your reminder that running an app executes its code.
  • Integrity. For a shared bundle, Apptrope checks a SHA‑256 hash over the whole file before anything runs. You’ll see a note like “its integrity was verified; review before running.” A tampered or truncated file won’t get this far.
  • Signature status. If the bundle was signed with an author key, the dialog shows Signed by the key’s fingerprint and the publisher’s name, for example Signed by C2F4-5A1E-77B9-0C0D (acme-analytics). The fingerprint is the identity that matters. The name is just a label the publisher chose.
  • What you’re about to run. The Kind (framework), the Resolved ref (for Git sources), and the Dependency method (rv for R apps, uv for Python apps).

Your two choices

  • Trust this publisher pins the signing key shown in the dialog. From then on, any app signed by that key runs without this prompt. This is the durable choice. It follows the publisher, not one particular app or link.
  • Remember this source (skip this prompt next time) is narrower. It silences the prompt for this exact source only. Use it for an unsigned source you keep coming back to.

Then Run launches the app, or Cancel backs out. Trusting a publisher and remembering a source are independent. You can do either, both, or neither and still choose to run once.

Pinning a key is a statement about the publisher, so their future apps are covered too. Remembering a source is a statement about one location. Prefer trusting the publisher when you expect to run more from them.

The Publishers panel

Open Publishers from the top bar to manage everything about trust in one place: your own identity, the publishers you trust, key rotation, and revocation.

The Trusted publishers panel: Your identity fingerprint with a Rotate my signing key button; a Create revocation certificate section with Revoke my current key; a list of trusted publishers each with Revoke and Remove; an Import revocation certificate box; and a Revoked keys list with Un-revoke.

The Publishers panel is the control center for your identity and everyone you’ve chosen to trust.

Your identity

At the top, Your identity shows your own signing key’s fingerprint, e.g. 7F3A-9C2E-5D81-B46A. This is the fingerprint recipients see when they run a bundle you signed. It’s what they pin when they choose Trust this publisher.

Rotate your signing key

Rotate my signing key issues you a fresh key. Rotation is designed for continuity. Anyone who trusted any of your earlier keys keeps trusting you across the rotation, so you don’t have to ask your recipients to re‑trust you every time. You can rotate more than once and that chain of trust carries forward. Rotate when you want to move to a new key on a normal cadence, and pair rotation with revocation (below) if an old key was lost or compromised.

The trusted list

Below your identity is the list of publishers you’ve pinned. Each row shows a fingerprint and the publisher’s name, with two actions:

Action What it does
Revoke Marks that key as revoked and adds it to your local Revoked keys list. Apps signed by it stop running silently and will prompt (or be blocked) again.
Remove Drops the publisher from your trusted list. Their signed apps will simply prompt again on next run, as if you’d never trusted them.

Use Remove when you just want to stop auto‑trusting someone. Use Revoke when you believe a specific key should no longer be honored.

Understanding revocation

Revocation has two layers, and it helps to keep them straight.

1. Your local revoked list

When you Revoke a key, it lands in the Revoked keys section at the bottom of the panel. This list is yours. It changes how Apptrope treats that key on this machine. Made a mistake, or was the key cleared? Select the entry and choose Un‑revoke to lift it.

2. Shareable revocation certificates

A revocation certificate is a signed statement that a key is revoked, something you can hand to other people so they can honor the revocation too.

  • Create one for your own key. In Create revocation certificate, Revoke my current key generates a certificate that lets anyone who trusts your current key revoke it later. As the panel notes, keep it somewhere safe in case that key is ever lost or compromised. It’s your “break glass” option, prepared before you need it.
  • Import one someone shared. Under Import revocation certificate, paste a certificate a publisher sent you into the box and choose Import to revoke their key on your machine. This is how a publisher whose key was compromised can get their revocation to reach you even if you’re not otherwise in touch.

Which do I use?

  • Remove: “Stop auto‑running this publisher.” Reversible by trusting them again. There’s no claim that the key is bad.
  • Revoke (local): “This key is bad, on my machine.” Reversible with Un‑revoke.
  • Revocation certificate: “This key is bad, and here’s a signed statement so others can act on it too.” Create yours ahead of time. Import others’ when you receive them.

Quick reference

  • You’re prompted the first time you run any new source. Trust the publisher to cover their future apps, or remember the source for that one location.
  • The consent dialog verifies integrity (SHA‑256) and shows who signed the app before it runs.
  • Rotate your key freely. Trust carries over across rotations.
  • Revoke locally for yourself. Use Un‑revoke to undo.
  • Create a revocation certificate for your own key now, so you can prove a revocation later. Import ones others send you.