Proton Calendar wrong SHA256 from website

I’ve only recently stopped be a lazy bum and started checking the hash of files I download, so it might be I’m doing something wrong, but I get a different SHA256 for the Proton Calendar APK than the one published on the page.

It should be:
DC:C9:43:9E:C1:A6:C6:A8:D0:20:3F:34:23:EE:42:BC:C8:B9:70:62:8E:53:CB:73:A0:39:3F:39:8D:D5:B8:53

I get:
C9886B25449CBCBEB2592227F0F662CAE5972B312CC787F255BD097FCEA25E2E

Double-checked on both phone and pc (and I’ve reported it to Proton) but could one of you fellas be so kind and check as well while I wait from the customer support reply?

1 Like

The SHA256 fingerprint that is displayed on Proton’s website is not the SHA256 of the APK itself, but the SHA256 certificate fingerprint that can be found inside the APK file. Withtin the APK file there is a file named CERT.RSA, this is the certificate used for signing.

You can check the (SHA256) certificate fingerprint with a tool like keytool, apksigner or openssl.

keytool -printcert -jarfile ProtonCalendar-Android.apk
Signer #1:

Certificate #1:
Owner: CN=Proton Technologies AG, OU=Proton Technologies AG, O=Proton Technologies AG, L=Geneva, ST=Geneva, C=CH
Issuer: CN=Proton Technologies AG, OU=Proton Technologies AG, O=Proton Technologies AG, L=Geneva, ST=Geneva, C=CH
Serial number: 7f50238
Valid from: Wed Mar 18 20:23:24 CET 2015 until: Sun Aug 03 21:23:24 CEST 2042
Certificate fingerprints:
SHA1: D8:E1:EE:3F:F3:A7:F6:EC:46:88:3C:89:80:32:FE:03:C2:3E:EC:20
SHA256: DC:C9:43:9E:C1:A6:C6:A8:D0:20:3F:34:23:EE:42:BC:C8:B9:70:62:8E:53:CB:73:A0:39:3F:39:8D:D5:B8:53
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key

I do think this verification method is confusing and not user friendly.

5 Likes

O gods I loathe having to use command line.

Anyway, I eventually managed to figure it out so thank you very much for the help and answer darling.

1 Like