Validate Android .apk signing key before installing
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
oppen c0e6ea6890 remove env var dependency 10 months ago
.idea ::: 10 months ago
app ::: 10 months ago
assets ::: 10 months ago
gradle/wrapper ::: 10 months ago
.gitignore ::: 10 months ago
LICENSE ::: 10 months ago
README.md ::: 10 months ago
build.gradle ::: 10 months ago
download.gmi ::: 10 months ago
filename ::: 10 months ago
gradle.properties ::: 10 months ago
gradlew ::: 10 months ago
gradlew.bat ::: 10 months ago
od.sh remove env var dependency 10 months ago
settings.gradle ::: 10 months ago

README.md

Signature Icon

Signature

With everyone 'DeGoogling' Android apps are being installed more and more from simple website downloads. This is much less safe than using Google Play (or F-Droid). In order to add some safety websites often publish a SHA256 hash of their signing certificate so users can verify the file they downloaded hasn't been intercepted in transit and replaced with something containing malicious code:

Signal Example Screenshot

The verify link here sends users to developer.android.com/studio/command-line/apksigner where there are instructions on using the command-line tool apksigner to verify the integrity of the downloaded .apk. This project makes that verification easier, users can download apps from websites straight to their Android devices and verify the .apk before installing.

Signal Example Screenshot

Validate Android .apk before installing:

  • Check the signing key matches any the developer has posted publicly DONE
  • Check the file checksum matches any the developer has posted publicly DONE
  • Refactor IN_PROGRESS
  • Extract and display app name from Manifest TODO
  • Extract and display app name icon TODO

Licence

European Union Public Licence v. 1.2