Publish `Signature Certificate SHA-256 Hash` for Android app .apk

Feature requests
,
1

By publishing the hash, users downloading the android .apk for github can verify using AppVerifier app or manually through apksigner verify --print-certs <path_to_apk> command that the .apk app has not been tampered with and is exactly the same as the developer published. Increases security + helps maintain integrity.

A lot of developers releasing their apps on GitHub does so. Few of them are as follows - Brave Browser, LocalSend, ImageToolBox, Ente Photos, Ente Auth, Ente Locker, Fossify File Manager and all their apps, Aves Gallery, Mullvad VPN, etc..

The hash can be published on both repo’s readme on github where the apk is hosted as well as obsidian website. Publishing on website also mitigates a “theoretically risk” in case an attacker gains access to github repo, it can’t change the hash published on the website, even if they tamper with .apk + change the hash according on github repo, they can’t change the hash published on website.

@WhiteNoise @joethei

2

Hello.

Please don’t randomly ping/tag people. It’s against our Code of Conduct. Thanks.

https://help.obsidian.md/community-code-of-conduct#Unsolicited+messages+to+community+members

3

Hi, Sorry for that. My bad!

I can edit my post to remove the tag, but I am unable to find the edit button.

4

Hi, can you please escalate this to the devs. It seems they haven’t noticed this issue yet. Plus on github, obsidianmd/obsidian-releases there is no option to file an issue.

5

I moved this to the feature request category.

6

Thanks, does that mean, it’s been worked on?
Honestly, there is just 10 lines of PR to be submitted for this issue to be closed.

Here is even a template for you to get this merged quickly, as friction-less as possible. Just edit the hash lines and add this in github readme https://github.com/obsidianmd/obsidian-releases

## Certificate Fingerprints

- **SHA1**: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
- **SHA256**: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

To verify these fingerprints, use the following command:

```bash
apksigner verify --print-certs <path_to_apk>
7

No. It means it has been moved to feature requests.

8

Two things,

  1. if you check directly Github releases on a desktop computer, you should see the sha256 produced by github during the upload/release process.
  2. Please read or review the Obsidian CoC
9
  • The SHA256 hashsum produced by github is not the same as the App Developer’s Own Certificate Signing Key Sha-256 Hashsum, they are two very different thing.
  • What about Obsidian CoC? Is it about pinging in the initial post for which I acknowledged my mistake or is it about something else?
10

I am aware they are two different things, but you can still check that.

11

Sorry I don’t understand if they are two different things, would this feature request (not really a “feature request” per say IMO) be implemented?

Also, I read the COC, I believe you want to hint at the following, am I right?

Security concerns: If you have a security issue to report about the application, please [contact Obsidian support]( https://help.obsidian.md/resources#Contact Obsidian support).

12

Thank you corona for your feature request. It has been logged. There are no short terms plans to work on it.

13

Please, don’t mark this as solved because this FR hasn’t been implemented.

15

Publishing the SHA-256 signature hash for an Android APK is a smart security practice. It allows users to verify that the APK hasn’t been tampered with and matches what the developer intended. Adding the hash to the GitHub README or a separate website helps maintain trust and integrity, especially for apps distributed outside the Play Store. This simple step can prevent malicious modifications and improve overall app security.