Installation
APM (AppImage Package Manager) transforms portable AppImages into an efficient, managed application suite. This page describes how APM handles the installation process.
The Ingestion Process
When you install an AppImage, APM performs the following steps:
- Extraction: The SquashFS payload of the
.AppImageis extracted to a temporary directory. - Indexing: Every file is hashed. Shared libraries (
.sofiles) and large assets are prioritized for the Content-Addressed Store. - Store Population: Files that aren’t already in
~/.local/share/apm/store/are moved there. - App Directory Creation: A versioned directory is created in
~/.local/share/apm/apps/<name>/<version>/. - Hardlinking: Instead of copying files, APM creates hardlinks from the store into the app directory.
Directory layout
APM follows the XDG Base Directory Specification.
| Purpose | Path |
|---|---|
| Application files | ~/.local/share/apm/apps/<name>/<version>/ |
| Content-addressed store | ~/.local/share/apm/store/ |
| Launcher symlinks | ~/.local/bin/ |
| Desktop entries | ~/.local/share/applications/ |
| Sandbox profiles | ~/.config/apm/profiles/ |
AppRun and Sandbox
Every installed application is launched via a standard AppRun binary. This binary reads a sandbox.args file (generated by APM during installation) and executes the app inside a Sydbox sandbox.
Sydbox leverages Landlock to enforce security. Unlike traditional sandboxes that require complex namespace setups or mounting, Sydbox works directly with the kernel to restrict what the application can see and do.
The sandbox arguments are derived from:
- The app’s own
.desktopmetadata. - Built-in heuristics.
- Verified metadata from the APM Network.
AppRun
Each installed application uses a prebuilt, statically linked AppRun binary as its entry point. The binary requires no external dependencies at runtime, not even libc, and is the same for every application. It reads sandbox arguments from a sandbox.args file located next to it, then calls execvp to hand off execution to Sydbox.
~/.local/share/apm/apps/helix/25.1.0/
├── AppRun # prebuilt static binary (shared across all apps)
├── sandbox.args # generated by the installer from verified metadata
└── bin/hxsandbox.args format
The sandbox.args file contains the Sydbox flags and the application entry point as newline-separated strings. The installer generates this file during installation.
Example content:
--read
/usr
--write
/home/user/.config/helix
--no-network
./bin/hxThis corresponds to the following Sydbox invocation:
syd --read /usr --write ~/.config/helix --no-network ./bin/hxSymlinks
To make the application available on $PATH, the installer creates a symlink in ~/.local/bin/ that points to the app’s AppRun file. The symlink name is the command name from the metadata. When a new version is installed, the installer automatically updates the symlink to point to the highest installed semver version:
~/.local/bin/hx → ~/.local/share/apm/apps/helix/25.1.0/AppRunDelta Updates via Zsync
APM supports zsync for lightning-fast updates. If the source server provides a .zsync file alongside the AppImage, APM will only download the specific byte-ranges that have changed since your last version. The new blocks are then integrated into the CAS, ensuring that even frequent updates consume minimal bandwidth and disk space.