Linux: package release as self-contained AppImage

The previous Linux artifact was a zip of the Flutter bundle/ directory.
That's awkward to distribute — users have to unzip, find the binary,
chmod +x, and figure out the lib/ layout themselves. Replace with a
proper AppImage: single file, double-click to run, no install, no
Flutter knowledge required.

Build steps:
- Stage AppDir with the Flutter bundle under usr/bin/ (the binary's
  RPATH=\$ORIGIN/lib already finds plugin libs there).
- Add .desktop file (Hash Bags / Office;Finance;) and 256x256 hash
  icon scaled from the iOS marketing PNG.
- Download appimagetool and invoke with --appimage-extract-and-run
  so it works inside the build container without FUSE.

Artifact name: hash-wallet-linux-appimage-<sha>.

.github/workflows/build-ios-testflight.yml

@@ -90,9 +90,19 @@ jobs:
             export PATH="$HOME/.cargo/bin:$PATH"
           fi
           rm -rf "$HOME/.rustup/downloads"/*.partial 2>/dev/null || true
+          # Stable + iOS targets (most plugins use these)
           rustup target add aarch64-apple-ios
           rustup target add aarch64-apple-ios-sim
           rustup target add x86_64-apple-ios
+          # Nightly + iOS targets — at least one plugin (sp_scanner / payjoin
+          # / something in the cargokit chain) builds its rust component
+          # with +nightly. The TestFlight archive bombs at "Missing manifest
+          # in toolchain 'nightly-aarch64-apple-darwin'" if nightly isn't
+          # installed alongside stable.
+          rustup toolchain install nightly --profile minimal
+          rustup target add aarch64-apple-ios --toolchain nightly
+          rustup target add aarch64-apple-ios-sim --toolchain nightly
+          rustup target add x86_64-apple-ios --toolchain nightly
           rustup show
 
       - name: Install Go + gomobile (if missing)
@@ -134,6 +144,25 @@ jobs:
             tar -xzf torch_dart.tar.gz -C torch_dart
             rm torch_dart.tar.gz
           popd
+          # LibTorch.xcframework ships with a lie: each slice's Info.plist
+          # claims MinimumOSVersion=12.0, but the Mach-O LC_BUILD_VERSION
+          # in the binaries says 13.0 (device) and 14.0 (simulator).
+          # Apple's TestFlight validator catches this mismatch and rejects
+          # the upload with ITMS-90208. Patch the Info.plists to match
+          # the actual binary build versions.
+          DEVICE_PLIST=scripts/torch_dart/ios/LibTorch.xcframework/ios-arm64/LibTorch.framework/Info.plist
+          SIM_PLIST=scripts/torch_dart/ios/LibTorch.xcframework/ios-arm64-simulator/LibTorch.framework/Info.plist
+          for entry in "$DEVICE_PLIST:13.0" "$SIM_PLIST:14.0"; do
+            plist="${entry%:*}"
+            min="${entry#*:}"
+            if [[ -f "$plist" ]]; then
+              plutil -replace MinimumOSVersion -string "$min" "$plist"
+              echo "patched $plist -> MinimumOSVersion $min"
+              plutil -p "$plist" | grep -E "MinimumOSVersion|CFBundleName" || true
+            else
+              echo "WARNING: $plist not found"
+            fi
+          done
 
       - name: Fetch prebuilt reown_flutter
         run: |
@@ -208,6 +237,40 @@ jobs:
             lib/.secrets.g.dart
 
       # ---- Apple signing setup --------------------------------------------
+      - name: Sanity-check Apple secrets are reaching the runner
+        env:
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
+          APPLE_ISSUER_ID: ${{ secrets.APPLE_ISSUER_ID }}
+          APPLE_API_KEY_P8_BASE64: ${{ secrets.APPLE_API_KEY_P8_BASE64 }}
+          APPLE_DIST_CERT_P12_BASE64: ${{ secrets.APPLE_DIST_CERT_P12_BASE64 }}
+          APPLE_DIST_CERT_P12_PASSWORD: ${{ secrets.APPLE_DIST_CERT_P12_PASSWORD }}
+          APPLE_PROVISIONING_PROFILE_BASE64: ${{ secrets.APPLE_PROVISIONING_PROFILE_BASE64 }}
+          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+        run: |
+          # Print LENGTHS only — never the secret values. Length 0 means the
+          # secret isn't actually reaching the runner (most often: secret is
+          # set on a different Gitea repo than this workflow is running in).
+          set +e
+          echo "APPLE_TEAM_ID length: ${#APPLE_TEAM_ID}"
+          echo "APPLE_KEY_ID length: ${#APPLE_KEY_ID}"
+          echo "APPLE_ISSUER_ID length: ${#APPLE_ISSUER_ID}"
+          echo "APPLE_API_KEY_P8_BASE64 length: ${#APPLE_API_KEY_P8_BASE64}"
+          echo "APPLE_DIST_CERT_P12_BASE64 length: ${#APPLE_DIST_CERT_P12_BASE64}"
+          echo "APPLE_DIST_CERT_P12_PASSWORD length: ${#APPLE_DIST_CERT_P12_PASSWORD}"
+          echo "APPLE_PROVISIONING_PROFILE_BASE64 length: ${#APPLE_PROVISIONING_PROFILE_BASE64}"
+          echo "APPLE_KEYCHAIN_PASSWORD length: ${#APPLE_KEYCHAIN_PASSWORD}"
+          set -e
+          # Fail fast on any zero-length secret so we don't waste time on the
+          # subsequent steps.
+          for n in TEAM_ID KEY_ID ISSUER_ID API_KEY_P8_BASE64 DIST_CERT_P12_BASE64 DIST_CERT_P12_PASSWORD PROVISIONING_PROFILE_BASE64 KEYCHAIN_PASSWORD; do
+            var="APPLE_$n"
+            if [[ -z "${!var}" ]]; then
+              echo "FATAL: $var is empty — set it as a Gitea repo secret on the repo this workflow runs in (Builds/hash-wallet)."
+              exit 1
+            fi
+          done
+
       - name: Create temp keychain + import distribution cert
         env:
           APPLE_DIST_CERT_P12_BASE64: ${{ secrets.APPLE_DIST_CERT_P12_BASE64 }}
@@ -222,9 +285,22 @@ jobs:
           security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
           # Add to user search list so codesign can find it
           security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed 's/"//g')
-          # Import the .p12
+          # Decode the user-uploaded .p12 directly. macOS Keychain Access
+          # exports .p12 with legacy PKCS12 crypto (RC2-40-CBC, PBE-SHA1)
+          # which is exactly what `security import` expects — no openssl
+          # conversion needed. Earlier attempts to "convert to legacy"
+          # via openssl 3.x failed because openssl 3.x has RC2-40-CBC
+          # disabled by default; that was a non-problem we made for
+          # ourselves. The original "Unknown format" failure was caused
+          # by a truncated base64 secret value, since fixed by re-pasting
+          # the secret via Gitea's API.
           P12="$RUNNER_TEMP/dist.p12"
-          echo "$APPLE_DIST_CERT_P12_BASE64" | base64 -d > "$P12"
+          echo "$APPLE_DIST_CERT_P12_BASE64" | openssl base64 -d -A > "$P12"
+          echo "=== decoded .p12 ==="
+          ls -la "$P12"
+          xxd "$P12" | head -1
+          file "$P12" || true
+
           security import "$P12" -k "$KEYCHAIN_PATH" -P "$APPLE_DIST_CERT_P12_PASSWORD" \
             -T /usr/bin/codesign -T /usr/bin/security
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$APPLE_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
@@ -240,7 +316,7 @@ jobs:
           PROFILES_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
           mkdir -p "$PROFILES_DIR"
           PROFILE="$RUNNER_TEMP/Hash_Wallet.mobileprovision"
-          echo "$APPLE_PROVISIONING_PROFILE_BASE64" | base64 -d > "$PROFILE"
+          echo "$APPLE_PROVISIONING_PROFILE_BASE64" | openssl base64 -d -A > "$PROFILE"
 
           # Parse the .mobileprovision to get its UUID + Name (CMS-decoded plist).
           PROFILE_UUID=$(security cms -D -i "$PROFILE" | plutil -extract UUID raw -o - -)
@@ -261,9 +337,29 @@ jobs:
         run: |
           set -e
           mkdir -p "$HOME/.appstoreconnect/private_keys"
-          echo "$APPLE_API_KEY_P8_BASE64" | base64 -d > "$HOME/.appstoreconnect/private_keys/AuthKey_${APPLE_KEY_ID}.p8"
+          P8="$HOME/.appstoreconnect/private_keys/AuthKey_${APPLE_KEY_ID}.p8"
+          echo "$APPLE_API_KEY_P8_BASE64" | openssl base64 -d -A > "$P8"
           ls -la "$HOME/.appstoreconnect/private_keys/"
 
+          # Diagnostics — verify the PEM file is well-formed without
+          # printing the private key body. A valid AuthKey .p8 must:
+          #   - Start with "-----BEGIN PRIVATE KEY-----"
+          #   - End with "-----END PRIVATE KEY-----"
+          #   - openssl pkey -in file -noout must succeed (real ASN.1 parse)
+          echo "=== .p8 first/last lines (no key body) ==="
+          head -1 "$P8"
+          tail -1 "$P8"
+          echo "=== openssl parse check (silent on success) ==="
+          if openssl pkey -in "$P8" -noout 2>&1; then
+            echo "OK — .p8 parses as a valid EC private key"
+          else
+            echo "FATAL: .p8 doesn't parse — secret likely truncated or wrong content"
+            echo "Re-paste APPLE_API_KEY_P8_BASE64 via the Gitea API (same flow"
+            echo "as the .p12 re-paste); the file decoded to:"
+            wc -c "$P8"
+            exit 1
+          fi
+
       # ---- Flutter init + codegen + pod install ---------------------------
       - name: Initialize Flutter SDK (iOS precache)
         run: |
@@ -284,6 +380,36 @@ jobs:
           cd ios
           pod install --repo-update
 
+      # ---- Override signing in project.pbxproj for the archive step -------
+      # The committed Release config uses Automatic signing + "Apple
+      # Development" identity (set up for local dev where Xcode is signed
+      # into an Apple ID). On CI we have only the cert + provisioning
+      # profile we installed in the temp keychain; no Xcode account.
+      #
+      # First attempt was an xcconfig append, but Xcode build-setting
+      # precedence puts target-level pbxproj settings ABOVE xcconfig —
+      # so the pbxproj values won and the build did Automatic signing
+      # anyway. Patch the Release config in pbxproj directly, only
+      # within the Runner target block (id 97C147071CF9000F007C117D);
+      # leaves Debug/Profile configs untouched so local builds stay
+      # on Automatic signing.
+      - name: Override signing settings in pbxproj for archive
+        env:
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          set -x
+          PBX=ios/Runner.xcodeproj/project.pbxproj
+          # BSD sed (macOS): -i '' for in-place, regex range scoped to
+          # the Runner target's Release config by its stable UUID.
+          sed -i '' "/97C147071CF9000F007C117D \/\* Release/,/name = Release;/ {
+            s/CODE_SIGN_IDENTITY = \"Apple Development\";/CODE_SIGN_IDENTITY = \"Apple Distribution\";/
+            s/CODE_SIGN_STYLE = Automatic;/CODE_SIGN_STYLE = Manual;/
+            s/DEVELOPMENT_TEAM = [A-Z0-9]\{1,\};/DEVELOPMENT_TEAM = ${APPLE_TEAM_ID};/
+            s|PROVISIONING_PROFILE_SPECIFIER = \"\";|PROVISIONING_PROFILE_SPECIFIER = \"${PROFILE_NAME}\";|
+          }" "$PBX"
+          echo "=== patched Runner Release config ==="
+          sed -n '/97C147071CF9000F007C117D \/\* Release/,/name = Release;/p' "$PBX"
+
       # ---- Generate ExportOptions.plist + build IPA -----------------------
       - name: Write ExportOptions.plist
         env:

.github/workflows/build-linux.yml

@@ -168,18 +168,86 @@ jobs:
       - name: Build Linux app
         run: flutter build linux --dart-define-from-file=env.json --release
 
-      - name: Compress release bundle
+      # ---- Package as AppImage --------------------------------------------
+      # Self-contained .AppImage is the user-facing Linux deliverable: single
+      # file, double-click to run, no install, works on any glibc Linux from
+      # the last few years. appimagetool is run with --appimage-extract-and-run
+      # so it works inside the container without FUSE.
+      - name: Stage AppDir
         run: |
-          pushd build/linux/x64/release
-          zip -r hash_wallet_linux_${{ github.sha }}.zip bundle
-          popd
+          set -e -x
+          REL=build/linux/x64/release
+          APPDIR=$REL/Hash_Bags.AppDir
+          rm -rf "$APPDIR"
+          mkdir -p "$APPDIR/usr/bin" \
+                   "$APPDIR/usr/share/applications" \
+                   "$APPDIR/usr/share/icons/hicolor/256x256/apps"
+
+          # The whole Flutter Linux bundle (binary + data/ + lib/) lives
+          # under usr/bin/. The Flutter binary has RPATH=$ORIGIN/lib, so
+          # plugin/native libs in usr/bin/lib/ resolve naturally.
+          cp -r "$REL/bundle"/* "$APPDIR/usr/bin/"
+
+          # Icon: scale the iOS marketing icon to 256 if convert is around,
+          # else copy as-is (appimagetool only requires that AppDir root and
+          # the hicolor path contain a same-named PNG).
+          ICON_SRC=assets/images/ios_icons/hashwallet_ios_icons/Icon-App-1024x1024@1x.png
+          ICON_DEST="$APPDIR/usr/share/icons/hicolor/256x256/apps/hash_bags.png"
+          if command -v convert >/dev/null 2>&1; then
+            convert "$ICON_SRC" -resize 256x256 "$ICON_DEST"
+          else
+            cp "$ICON_SRC" "$ICON_DEST"
+          fi
+          cp "$ICON_DEST" "$APPDIR/hash_bags.png"
+
+          # .desktop file (at both canonical locations; appimagetool checks both)
+          cat > "$APPDIR/hash_bags.desktop" <<'DESKTOP'
+          [Desktop Entry]
+          Name=Hash Bags
+          Comment=Non-custodial multi-chain crypto wallet
+          Exec=hash_wallet
+          Icon=hash_bags
+          Type=Application
+          Categories=Office;Finance;
+          Terminal=false
+          DESKTOP
+          # Strip the leading whitespace from the heredoc
+          sed -i 's/^          //' "$APPDIR/hash_bags.desktop"
+          cp "$APPDIR/hash_bags.desktop" "$APPDIR/usr/share/applications/"
+
+          # AppRun: the entry point AppImage executes. Adds the bundled lib/
+          # dir to LD_LIBRARY_PATH and exec's the Flutter binary.
+          cat > "$APPDIR/AppRun" <<'APPRUN'
+          #!/bin/bash
+          HERE="$(dirname "$(readlink -f "${0}")")"
+          export LD_LIBRARY_PATH="${HERE}/usr/bin/lib:${LD_LIBRARY_PATH}"
+          exec "${HERE}/usr/bin/hash_wallet" "$@"
+          APPRUN
+          sed -i 's/^          //' "$APPDIR/AppRun"
+          chmod +x "$APPDIR/AppRun"
+
+          ls -la "$APPDIR"
+
+      - name: Build AppImage
+        run: |
+          set -e -x
+          REL=build/linux/x64/release
+          wget -q https://github.com/AppImage/AppImageKit/releases/download/continuous/appimagetool-x86_64.AppImage -O /tmp/appimagetool
+          chmod +x /tmp/appimagetool
+          # --appimage-extract-and-run avoids the FUSE requirement (no fusermount
+          # in the build container). ARCH= tells appimagetool which arch tag to
+          # embed in the filename.
+          ARCH=x86_64 /tmp/appimagetool --appimage-extract-and-run \
+            "$REL/Hash_Bags.AppDir" \
+            "$REL/Hash_Bags-x86_64.AppImage"
+          ls -la "$REL"/*.AppImage
 
       # actions/upload-artifact@v4 uses an HTTP API that Gitea Actions does
       # not implement (only the v1/v3 wire format). Pinned to @v3 for Gitea
       # compatibility — also works on GitHub Actions.
-      - name: Upload artifact
+      - name: Upload AppImage artifact
         uses: actions/upload-artifact@v3
         with:
-          name: hash-wallet-linux-${{ github.sha }}
-          path: build/linux/x64/release/hash_wallet_linux_*.zip
+          name: hash-wallet-linux-appimage-${{ github.sha }}
+          path: build/linux/x64/release/Hash_Bags-x86_64.AppImage
           retention-days: 14