Closed ghost closed 1 month ago
This is a good addition, but there should be a command that clearly indicates if there is an error, here there is simply nothing to display, which is confusing for the user.
Well, what are you thinking about exactly?
Should I make an if condition that prints a warning if the app is not legit? Something like:
signature_hash=$(keytool -printcert -jarfile KeePassDX-*-libre.apk | grep 'SHA256:')
if [[ "$signature_hash" == *"7D:55:B8:AF:21:03:81:AA:BF:96:0F:07:E1:7C:F7:85:7B:6D:2A:64:2C:A2:DA:6B:F0:BD:F1:B2:00:36:2F:04"* ]] ; then
echo "The app is legit"
else
echo "The app is not legit"
fi
Or we can make it interactive by prompting the user to copy the valid hash from GitHub and paste it in the Terminal so the hash will be always isolated and very noticeable in public. Like:
signature_hash=$(keytool -printcert -jarfile KeePassDX-*-libre.apk | grep 'SHA256:')
echo "Please enter the valid signature hash from GitHub."
read valid_signature_hash
if [[ "$signature_hash" == *$valid_signature_hash* ]] ; then
echo "The app is legit"
else
echo "The app is not legit"
fi
My old method is just as yours but I am relying on the signature hash for the reasnons I gave you. Which I believe is good because it relies on the user to compare, and I made it in such a way so it does not even print the hash if it is wrong.
Looking forward to get some sugestions.
Should I make an if condition that prints a warning if the app is not legit?
It's clearer but takes several lines. I approve of the PR, we can improve it later.
Merged in develop
No problem.
Verifying the signing certificate hash is way better than verifying the hash of the apk files, because it does not change at all, and it will be very noticeable if it was changed from the README.md file than just GitHub release notes.
And you will not have to calculate the hash and publish it in the future, so less work for you.
Please consider adding it and tell me if there is anything that you need me to add or remove.