Update README.md

[shrimprugbysnowowl]

Addresses #8576 . Please feel free to edit as you see fit.

[cketti]

I think this might lead to unnecessary support requests if people don't know how to verify an APK is properly signed and use sha256sum on a downloaded APK instead.

We also use different signing certificates for the different apps and release channels (Thunderbird release/beta/daily, K-9 Mail).

[kewisch]

@cketti How do you feel about more neutral language, e.g.

Our applications use the following APK signatures:

• Thunderbird: b6:52:47:79:b3:db:bc:5a:c1:7a:5a:c2:71:dd:b2:9d:cf:bf:72:35:78:c2:38:e0:3c:3c:21:78:11:35:6d:d1
• Thunderbird Beta: 05:6b:fa:fb:45:02:49:50:2f:d9:22:62:28:70:4c:25:29:e1:b8:22:da:06:76:0d:47:a8:5c:95:57:74:1f:bd
• K-9 Mail: 55:c8:a5:23:b9:73:35:f5:bf:60:df:e8:a9:f3:e1:dd:e7:44:51:6d:93:57:e8:0a:92:5b:7b:22:e4:f5:55:24

Alternatively we could create a SECURITY.md or similar with this information and link to it.

[cketti]

We should use exact wording. These are (probably, I haven't actually checked the values) the SHA-256 hashes of the signing certificates we use.

If we do this, I think we should document the actual command one can use to verify an APK, not just link to the documentation of apksigner and let people figure it out on their own.

[wmontwe]

I'll update this one -> done

[cketti]

I think we should be accurate with naming and replace "singing key" with "signing certificate". Especially since the command line argument is called -printcert and users might not be able to make the connection.

[wmontwe]

I agree that "signing certificate" is more accurate, especially in the context of using the keytool command with -printcert. However, since this is about verifying the APK's signature, switching to the suggested term might not directly address the primary goal. It would be helpful to define the target audience for this documentation to determine whether the concern about users not making the connection is valid. That way, we can decide if a clarification or adjustment is truly necessary.

[wmontwe]

I removed usage of any term to keep it simple

[cketti]

keytool and apksigner verify that the APK was signed using the signing certificate that is part of the APK. What the user needs to do is verify that the signing certificate in the APK is actually our signing certificate and not some random other one.

[wmontwe]

I understand your point, but it would be more helpful if you could suggest a way to explain this more clearly for users. That way, we can make sure the information is both accurate and user-friendly.

[cketti]

I believe keytool will only verify the v1 signature. We probably want to recommend using apksigner verify so we don't have to update this in the future.

[wmontwe]

The problem is that apksigner requires to install the Android SDK Build Tools and this could be a nice addition but requires way more effort than using the keytool.

[cketti]

🤷 We don't expect regular users to verify the APK signature. I think it's fine to require interested users to install the build tools. It's also possible they don't have keytool installed. So that would require some work as well.

[kewisch]

Let's go with apksigner, this is for example also what Signal does: https://signal.org/android/apk/

[wmontwe]

The section is now shorter

[cketti]

Now we're back to were we started. See the first comment.

[wmontwe]

Now we're back to were we started. See the first comment.

To move forward, it would be helpful if you could provide a concrete suggestion for how you think this should be phrased.

[cketti]

I like the simplicity of Signal's page. Adjusted for us, it would be:

These are the SHA-256 fingerprints for our signing certificates:

• Thunderbird: B6:52:47:79:B3:DB:BC:5A:C1:7A:5A:C2:71:DD:B2:9D:CF:BF:72:35:78:C2:38:E0:3C:3C:21:78:11:35:6D:D1
• Thunderbird Beta: 05:6B:FA:FB:45:02:49:50:2F:D9:22:62:28:70:4C:25:29:E1:B8:22:DA:06:76:0D:47:A8:5C:95:57:74:1F:BD
• K-9 Mail: 55:C8:A5:23:B9:73:35:F5:BF:60:DF:E8:A9:F3:E1:DD:E7:44:51:6D:93:57:E8:0A:92:5B:7B:22:E4:F5:55:24

You can use the following command to retrieve and verify the certificate before installation:

apksigner verify -v --print-certs <path-to-apk>

[wmontwe]

I like the simplicity of Signal's page. Adjusted for us, it would be:

These are the SHA-256 fingerprints for our signing certificates:

• Thunderbird: B6:52:47:79:B3:DB:BC:5A:C1:7A:5A:C2:71:DD:B2:9D:CF:BF:72:35:78:C2:38:E0:3C:3C:21:78:11:35:6D:D1
• Thunderbird Beta: 05:6B:FA:FB:45:02:49:50:2F:D9:22:62:28:70:4C:25:29:E1:B8:22:DA:06:76:0D:47:A8:5C:95:57:74:1F:BD
• K-9 Mail: 55:C8:A5:23:B9:73:35:F5:BF:60:DF:E8:A9:F3:E1:DD:E7:44:51:6D:93:57:E8:0A:92:5B:7B:22:E4:F5:55:24

You can use the following command to retrieve and verify the certificate before installation:
apksigner verify -v --print-certs <path-to-apk>

I'm fine with copy pasting Signal's approach.