[Feature request]SHA-256 hash signing certificate?

[friendupright]

Checklist (Your issue will be automatically closed if you delete this part)

• [x] I make sure that there are no existing issues - open or closed - which I could contribute my information to.
• [x] I believe this feature request will benefit more than 10% of users, not just myself.

---

** Description Can you provide the SHA-256 hash of the signing certificate, like newpipe does on their page, so me and others can verify the apk?

[InfinityLoop1308]

I think you can just use the PGP signature on F-Droid release page. We provide the same asset with F-Droid.

[friendupright]

Brother that's not the same lol. I need the Signing key (SHA256 fingerprint). For example: https://newpipe.net/#download

If you value the additionally security of the users using YOUR app, provide it pls

[InfinityLoop1308]

I'll consider add it to pipepipe.dev but it will not be a high priority.

[friendupright]

What exactly does the P3 label mean?

[vermeeren]

I think being more kind here would have been proper. Regardless, I am in the some situation and found F-Droid metadata has the signing key committed to the metadata repo. https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/InfinityLoop1309.NewPipeEnhanced.yml#L3149

AllowedAPKSigningKeys: dec73429ce2563275f5ed19825e44652b32b363a46f38bdff9ad6dcde4842d88

I can confirm the signing key matches the APK so it is very nice to get this through Obtainium.

Thanks for the great work on the app!

[astrovolt]

Can we please get the hash listed somewhere in documentation or in the readme?

With the work being done on the pre-release Beta version of the app right now, I cannot verify it using AppVerifier through Obtainium.

I prefer downloading and keeping PipePipe up to date with Obtainium and the hash verification step is a nice peace of mind addition that many open source app developers have started to include.

This is not an uncommon use case.