Trust: publishers, rotation & revocation
Apptrope runs real code on your machine, so it treats the first run from any new source as a decision you should get to make. This page walks through that decision, the Confirm before running dialog, and then through the Publishers panel, where you manage your own signing identity, the publishers you’ve chosen to trust, key rotation, and revocation. The model is trust on first use (TOFU). You’re prompted once for a source you haven’t seen, and once you pin a publisher’s key, their signed apps launch quietly from then on.
Trust on first use
The first time you run an app from a source Apptrope hasn’t run before, you’ll see the Confirm before running dialog. It’s a checkpoint, not an error. Nothing has run yet.

The consent dialog surfaces exactly who signed the app and confirms its integrity before a single line runs.
What the dialog tells you:
- The warning. “This will download and run code from this source.” This is your reminder that running an app executes its code.
- Integrity. For a shared bundle, Apptrope checks a SHA‑256 hash over the whole file before anything runs. You’ll see a note like “its integrity was verified; review before running.” A tampered or truncated file won’t get this far.
- Signature status. If the bundle was signed with an author key, the dialog shows Signed by the key’s fingerprint and the publisher’s name, for example
Signed by C2F4-5A1E-77B9-0C0D (acme-analytics). The fingerprint is the identity that matters. The name is just a label the publisher chose. - What you’re about to run. The Kind (framework), the Resolved ref (for Git sources), and the Dependency method (
rvfor R apps,uvfor Python apps).
Your two choices
- Trust this publisher pins the signing key shown in the dialog. From then on, any app signed by that key runs without this prompt. This is the durable choice. It follows the publisher, not one particular app or link.
- Remember this source (skip this prompt next time) is narrower. It silences the prompt for this exact source only. Use it for an unsigned source you keep coming back to.
Then Run launches the app, or Cancel backs out. Trusting a publisher and remembering a source are independent. You can do either, both, or neither and still choose to run once.
Pinning a key is a statement about the publisher, so their future apps are covered too. Remembering a source is a statement about one location. Prefer trusting the publisher when you expect to run more from them.
The Publishers panel
Open Publishers from the top bar to manage everything about trust in one place: your own identity, the publishers you trust, key rotation, and revocation.

The Publishers panel is the control center for your identity and everyone you’ve chosen to trust.
Your identity
At the top, Your identity shows your own signing key’s fingerprint, e.g. 7F3A-9C2E-5D81-B46A. This is the fingerprint recipients see when they run a bundle you signed. It’s what they pin when they choose Trust this publisher.
Rotate your signing key
Rotate my signing key issues you a fresh key. Rotation is designed for continuity. Anyone who trusted any of your earlier keys keeps trusting you across the rotation, so you don’t have to ask your recipients to re‑trust you every time. You can rotate more than once and that chain of trust carries forward. Rotate when you want to move to a new key on a normal cadence, and pair rotation with revocation (below) if an old key was lost or compromised.
The trusted list
Below your identity is the list of publishers you’ve pinned. Each row shows a fingerprint and the publisher’s name, with two actions:
| Action | What it does |
|---|---|
| Revoke | Marks that key as revoked and adds it to your local Revoked keys list. Apps signed by it stop running silently and will prompt (or be blocked) again. |
| Remove | Drops the publisher from your trusted list. Their signed apps will simply prompt again on next run, as if you’d never trusted them. |
Use Remove when you just want to stop auto‑trusting someone. Use Revoke when you believe a specific key should no longer be honored.
Understanding revocation
Revocation has two layers, and it helps to keep them straight.
1. Your local revoked list
When you Revoke a key, it lands in the Revoked keys section at the bottom of the panel. This list is yours. It changes how Apptrope treats that key on this machine. Made a mistake, or was the key cleared? Select the entry and choose Un‑revoke to lift it.
Which do I use?
- Remove: “Stop auto‑running this publisher.” Reversible by trusting them again. There’s no claim that the key is bad.
- Revoke (local): “This key is bad, on my machine.” Reversible with Un‑revoke.
- Revocation certificate: “This key is bad, and here’s a signed statement so others can act on it too.” Create yours ahead of time. Import others’ when you receive them.
Quick reference
- You’re prompted the first time you run any new source. Trust the publisher to cover their future apps, or remember the source for that one location.
- The consent dialog verifies integrity (SHA‑256) and shows who signed the app before it runs.
- Rotate your key freely. Trust carries over across rotations.
- Revoke locally for yourself. Use Un‑revoke to undo.
- Create a revocation certificate for your own key now, so you can prove a revocation later. Import ones others send you.