Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

better way to verify GitHub APK files #1810

Merged
merged 1 commit into from
May 6, 2024
Merged

better way to verify GitHub APK files #1810

merged 1 commit into from
May 6, 2024

Conversation

ghost
Copy link

@ghost ghost commented Apr 19, 2024

Verifying the signing certificate hash is way better than verifying the hash of the apk files, because it does not change at all, and it will be very noticeable if it was changed from the README.md file than just GitHub release notes.

And you will not have to calculate the hash and publish it in the future, so less work for you.

Please consider adding it and tell me if there is anything that you need me to add or remove.

better way to verify github apk files
cae12b8 
Verifying the signing certificate hash is way better than verifying the hash of the apk files, because it does not change at all, and it will be very noticeable if it was changed from the README.md file than just GitHub release notes.

And you will not have to calculate the hash and publish it in the future, so less work for you.
@J-Jamet
Copy link
Member

J-Jamet commented Apr 19, 2024

This is a good addition, but there should be a command that clearly indicates if there is an error, here there is simply nothing to display, which is confusing for the user.

@ghost
Copy link
Author

ghost commented Apr 19, 2024
edited by ghost

Well, what are you thinking about exactly?

Should I make an if condition that prints a warning if the app is not legit? Something like:

signature_hash=$(keytool -printcert -jarfile KeePassDX-*-libre.apk | grep 'SHA256:')
if [[ "$signature_hash" == *"7D:55:B8:AF:21:03:81:AA:BF:96:0F:07:E1:7C:F7:85:7B:6D:2A:64:2C:A2:DA:6B:F0:BD:F1:B2:00:36:2F:04"* ]] ; then 
  echo "The app is legit"
else
  echo "The app is not legit"
fi

Or we can make it interactive by prompting the user to copy the valid hash from GitHub and paste it in the Terminal so the hash will be always isolated and very noticeable in public. Like:

signature_hash=$(keytool -printcert -jarfile KeePassDX-*-libre.apk | grep 'SHA256:')
echo "Please enter the valid signature hash from GitHub."
read valid_signature_hash
if [[ "$signature_hash" == *$valid_signature_hash* ]] ; then 
  echo "The app is legit"
else
  echo "The app is not legit"
fi

My old method is just as yours but I am relying on the signature hash for the reasnons I gave you. Which I believe is good because it relies on the user to compare, and I made it in such a way so it does not even print the hash if it is wrong.

Looking forward to get some sugestions.

@ghost ghost changed the title better way to verify github apk files better way to verify GitHub apk files Apr 19, 2024
@ghost ghost changed the title better way to verify GitHub apk files better way to verify GitHub APK files Apr 19, 2024
@J-Jamet
Copy link
Member

J-Jamet commented Apr 22, 2024

Should I make an if condition that prints a warning if the app is not legit?

It's clearer but takes several lines. I approve of the PR, we can improve it later.

@J-Jamet
Copy link
Member

J-Jamet commented Apr 22, 2024

Merged in develop

@ghost
Copy link
Author

ghost commented Apr 22, 2024

No problem.

@J-Jamet J-Jamet merged commit c478815 into Kunzisoft:master May 6, 2024
@ghost ghost deleted the patch-1 branch May 17, 2024 08:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
completed developments
Projects
No open projects
4.0.6
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@J-Jamet