Saw this on lemmy and thought it might be of interest to people who want a 2nd way to verify their apks certificate hash that is not as involved as using apksigner.
I don’t undestand the use case of this site:
what to do with this info. How this helps GrapheneOS user?
A lot of GOS users use AppVerifier to get an APK’s certificate hash. It is then recommended to verify that hash with another user of the same app or with the app’s developer to validate the app.
Because this site uses a different code path to obtain the same certificate hash, it can serve as a second, independent method to verify an APK. Atleast that is my understanding.
2 Likes
In the early? Linux world, it’s common to find an SHA256 hash next to the download button. I haven’t been able to find that in the Android world—in other words, most apps don’t share their hashes. That’s why I’m asking.
Yeah, I think it’s a common issue for people who want to validate their APKs. You can use apksigner to do it, but it’s a bit more involved, as I mentioned previously. AppVerifier has a community database it checks against, but it’s relatively small; there’s also a GOS thread where people post hashes. This just seems like a convenient way, especially since the copy function aligns with what AppVerifier needs for the “verify from clipboard” button.
2 Likes