notes-android icon indicating copy to clipboard operation
notes-android copied to clipboard
verified publisher icon nextcloud

List Signing Certificate Fingerprint to Let Users Verify the Downloaded APK

Open deivpaukst opened this issue 5 months ago • 0 comments

Is your feature request related to a problem? Please describe.

I'm downloading this app using Obtanium and so I would like to make sure that the app I install is indeed the correct one. To do so I use AppVerifier. To be able to check whether the app downloaded is indeed from the developer I would need the hash of the signing certificate used to sign the app.

Describe the solution you'd like

The signing certificate hash would be listed preferably on an external site. Like the app's site, but it could also be listed on Github if the external site is not an option.

Describe alternatives you've considered

There aren't really any besides just downloading the app without verifying or not downloading it at all.

Additional context

It's slowly becoming a standard security practice to list the key's hash somewhere in your project for example: Thunderbird, Molly, AuroraStore, GeoShare.

For an example on a external website entry, see DeltaChat.

deivpaukst avatar Sep 02 '25 22:09 deivpaukst