[Feature Request]: Please add GPG signature and SHA512 hash to verify downloads of NewPipe from Github

[ovz93br43v7]

Checklist

• [x] I checked, but didn't find any duplicates (open OR closed) of this issue in the repo.
• [x] I have read the contribution guidelines given at https://github.com/TeamNewPipe/NewPipe/blob/HEAD/.github/CONTRIBUTING.md.
• [x] This issue contains only one feature request. I will open one issue for every feature I want to request.

Describe the feature you want

I currently download the NewPipe APK files directly from Github but it feels a bit "unsafe" for me because I couldn't find any GPG signature and SHA hash to verify my download. So I would like to have for every release a SHA512 hash and a possibility to verify the APK file with GPG.

Optionally, also describe alternatives you've considered: I tired to get F-Droid running on my FireTV but it doesn't work, so I can't use your repo or NewPipe from F-Droid itself.

Is your feature request related to a problem? Please describe it

No chance to verify direct github downloads of NewPipe.

How will you/everyone benefit from this feature?

Improved security.

[trymeouteh]

+1 for this. I download Newpipe from github since fdroid takes a few days to update newpipe and when youtube changes its encoding I dont want to have to wait for fdroid to update newpipe.

Also there are apps like DeadHash which can be used to easily verify your APK files on Android to ensure they have not been tampered with and the app support many different hashes.

[trymeouteh]

Another suggestion would be for Newpipe to not only check for updates, but download the APK from github, do a hash check to ensure it is secure and then install it within the Newpipe app. Similar to how FF Updater works on downloading and installing updated browsers.

Automatically downloading the app is not important for a feature however.