Package Metadata
In APM, applications are described by external metadata rather than files inside the package. This allows you to publish existing AppImages without modification.
This metadata is typically hosted in a packages.json file on your repository or sent as a payload to the APM Network.
Schema
{
"name": "passless",
"version": "1.1.1",
"domain": "spindel.cc",
"description": "A passwordless manager",
"download_url": "https://spindel.cc/dist/passless-1.1.1.AppImage",
"zsync_url": "https://spindel.cc/dist/passless-1.1.1.AppImage.zsync",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"signature": "<ed25519-signature>",
"sandbox": {
"network": true,
"gpu": false,
"filesystems": ["~/.passless:rw"]
}
}Fields
| Field | Description |
|---|---|
name | Unique package name (lowercase, no spaces) |
version | Semantic version (e.g. 1.0.0) |
domain | The verified domain publishing the package |
download_url | Direct URL to the AppImage |
sha256 | SHA-256 hash of the AppImage file |
signature | Ed25519 signature of the metadata (verifies authenticity) |
Sandbox Permissions
The sandbox object tells APM how to configure Sydbox. Since this metadata is signed by your key, APM trusts these permissions.
| Permission | Description |
|---|---|
network | Allow internet access |
gpu | Allow hardware acceleration |
audio | Allow sound output/input |
filesystems | List of paths to mount (e.g. ~/.config/myapp:rw) |
devices | Access to devices like webcams or controllers |
Verification
When a user installs your app, APM:
- Fetches this metadata.
- Verifies the
signatureagainst your domain’s DNS record. - Downloads the AppImage.
- Verifies the AppImage’s hash against
sha256. - Applies the
sandboxpermissions.
This ensures that the code running on the user’s machine is exactly what you intended, with exactly the permissions you granted.