search

tchapgouv / tchap-android

A matrix client for Android.
https://play.google.com/store/apps/details?id=fr.gouv.tchap.a
Apache License 2.0
19 stars 7 forks source link

signed #1054

Open patatetom opened 1 month ago

patatetom commented 1 month ago

hi, how and on what basis can I verify the signature of the APK archive provided on GitHub ? in other words, how can I verify that the APK archive really comes from gouv.fr ? regards, lacsaP.

yostyle commented 1 month ago

Hi @patatetom,

You can verify the checksum files. All signatures are stored in checksums.txt from assets.

If you prefer, I can send you the signatures on Tchap if you already have an account.

patatetom commented 1 month ago

I was thinking more of private/public key (eg. "signed") than file checksum.

yostyle commented 1 month ago

All APKs are signed with the same key. You can compare them with this certificate signature : Signer #1 certificate SHA-256 digest: 2799b5dc1c4ee23127bffdad325db7096f5d0b4e3856f0000305e23f61f991ac Signer #1 certificate SHA-1 digest: 48d2a6cb6a779fc8fa3b75cd56a55cc706886205 Signer #1 certificate MD5 digest: e1ab53bee87938be161dbdce0876a713

You should use android build tools to get this information from APKs: apksigner verify --print-certs gplay-tchap-withdmvoip-withpinning-arm64-v8a-v2.11.6-signed.apk

The private key is not shared. If you need more information please contact the support of Tchap : support@tchap.beta.gouv.fr.