Verifying the signature of the GUI
Verifying downloads is a good habit. The signature files that accompany our GUI binaries are wrapped in an additional base64 layer. This guide shows how to decode that wrapper and then verify the Minisign file.
Prerequisites
| Tool | Purpose | Install (cmd examples) |
|---|---|---|
| minisign | Signature verification | brew install minisign or apt install minisign |
| base64 | Decode a double-encoded sig | Comes with most Unix systems |
Files involved
UnstoppableSwap_2.0.0-beta.2_amd64.AppImage # the binary you will verify
UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.sig # contains a base64 encoded signatureStep-by-step
-
Decode base64:
base64 -D -i UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.sig \ > UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.minisigThe new file will start with the classic two-line Minisign header:
untrusted comment: signature from tauri secret key RURc8dYGEB0I… trusted comment: timestamp:1749671728 file:UnstoppableSwap_2.0.0-beta.2_amd64.AppImage 4LKsm8VRcErR… -
Grab the public key (two options):
From code:
tauri.conf.json → plugins.updater.pubkey# prints raw 56-byte key jq -r '.plugins.updater.pubkey' src-tauri/tauri.conf.json | base64 -Dor copy the key from below:
RWRc8dYGEB0Ipl37n2fWnO3gtVgUoPkY6XUS0C1ppRsgRUYsmSGtcECA -
Verify the signature:
minisign -Vm UnstoppableSwap_2.0.0-beta.2_amd64.AppImage \ -x UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.minisig \ -P RWRc8dYGEB0Ipl37n2fWnO3gtVgUoPkY6XUS0C1ppRsgRUYsmSGtcECAExpected output:
Signature and comment signature verified Trusted comment: timestamp:1749671728 file:UnstoppableSwap_2.0.0-beta.2_amd64.AppImage
Troubleshooting cheatsheet
| Symptom | Likely cause | Fix |
|---|---|---|
Untrusted signature comment too long | Fed Minisign the outer base64 file | Decode the .sig first (Step 1) |
Signature mismatch | Wrong public key | Re-extract the key from tauri.conf.json and make sure there’s no extra whitespace |