Publish Android APK signing key hash under download page and external platform for users to validate
Let's face it, PGP verification is cumbersome for users. Fortunately, there is an easier alternative:
As part of the Android build process, the APK is signed with the developer keys. The signature is within the APK itself and can be extracted via command line (apksigner command) or other applications such as ApkVerifier or built-in OS modules like the one planned by GrapheneOS.
For users to be able to verify the signing key hash, the ideal scenario would be for the hash to be published alongside the APKs and other places known to be controlled by the Tor developers. It can be a twitter post, github readme, etc. Users can go to one or multiple of this places and validate the key hash they got indeed comes from the developer. The hashes typically published by other developers are SHA-1 and SHA-256 together with the bundle name, for example:
CN=Tor Project, OU=TorProject.org, O=TorProject.org, L=New York, ST=NY, C=US
Valid from: Mon Feb 22 23:05:20 EST 2010 until: Sat Jul 11 00:05:20 EDT 2037
Certificate fingerprints:
SHA1: CD:14:2A:CC:DE:63:FE:57:C1:C5:28:58:E1:9D:1B:37:C7:64:22:CE
SHA256: A4:54:B8:7A:18:47:A8:9E:D7:F5:E7:0F:BA:6B:BA:96:F3:EF:29:C2:6E:09:81:20:4F:E3:47:BF:23:1D:FD:5B
Workflow examaple:
- User download the APK from github releases section.
- User takes note of the key signing hash.
- Right before installing the APK, in the case of GrapheneOS, the package installer will show the hash. If there is a match, the user proceeds.
Apps like ApkVerifier even contain an internal database of key hashes known to be have been published by developers and users can see whether the installed apps (or apks to be installed) on their phone are deemed trusted.