Publish Signing Certificate Hash for Github Release APKs

[hashcatHitman]

As far as I can tell, the SHA-256 hash of the certificate used to sign the APKs found in the GitHub releases is not published anywhere. I suggest publishing it in several places - particularly on the official website. This will allow users who download the APK directly from GitHub (such as through Obtainium) to verify the authenticity of the APK (such as through apksigner or AppVerifier).

Suggested places to post the hash:

• READMEs in the various app repositories.
• Pinned posts on official Fossify social media (if any exists).
• The Fossify website, somewhere easy to find (the "Apps" or "About" page may be good candidates, or perhaps the website footer).

[Aga-C]

See: FossifyOrg/Gallery#322 (comment).

[hashcatHitman]

While I didn't initially see that comment, I do maintain that it is important for this information to be published on several sources. If for example, GitHub were compromised, Fossify APKs could be replaced with malicious versions - including the Thank-You APK, which would mean it is no longer trustworthy as a verification tool.

I understand it might not be your first priority, but it really is important for the sake of security.

[naveensingh]

no longer trustworthy as a verification tool.

That can be said about everything when there's a man in the middle but... READMEs are to be updated with a new format and since this has requested twice already, we'll consider adding the signature. If you need it now, you can already find it in F-Droid's metadata.

[hashcatHitman]

That can be said about everything when there's a man in the middle

Compromise of GitHub servers and/or official Fossify GitHub accounts is more the scope of concern. MITM is a different story, yes.

Thanks for your responses and consideration on this.