Open patatetom opened 1 month ago
Hi @patatetom,
You can verify the checksum files. All signatures are stored in checksums.txt from assets.
If you prefer, I can send you the signatures on Tchap if you already have an account.
I was thinking more of private/public key (eg. "signed") than file checksum.
All APKs are signed with the same key. You can compare them with this certificate signature : Signer #1 certificate SHA-256 digest: 2799b5dc1c4ee23127bffdad325db7096f5d0b4e3856f0000305e23f61f991ac Signer #1 certificate SHA-1 digest: 48d2a6cb6a779fc8fa3b75cd56a55cc706886205 Signer #1 certificate MD5 digest: e1ab53bee87938be161dbdce0876a713
You should use android build tools to get this information from APKs: apksigner verify --print-certs gplay-tchap-withdmvoip-withpinning-arm64-v8a-v2.11.6-signed.apk
The private key is not shared. If you need more information please contact the support of Tchap : support@tchap.beta.gouv.fr.
hi, how and on what basis can I verify the signature of the APK archive provided on GitHub ? in other words, how can I verify that the APK archive really comes from
gouv.fr
? regards, lacsaP.