signed

[patatetom]

hi,
how and on what basis can I verify the signature of the APK archive provided on GitHub ?
in other words, how can I verify that the APK archive really comes from gouv.fr ?
regards, lacsaP.

[yostyle]

Hi @patatetom,

You can verify the checksum files. All signatures are stored in checksums.txt from assets.

If you prefer, I can send you the signatures on Tchap if you already have an account.

[patatetom]

I was thinking more of private/public key (eg. "signed") than file checksum.

[yostyle]

All APKs are signed with the same key. You can compare them with this certificate signature :
Signer #1 certificate SHA-256 digest: 2799b5dc1c4ee23127bffdad325db7096f5d0b4e3856f0000305e23f61f991ac
Signer #1 certificate SHA-1 digest: 48d2a6cb6a779fc8fa3b75cd56a55cc706886205
Signer #1 certificate MD5 digest: e1ab53bee87938be161dbdce0876a713

You should use android build tools to get this information from APKs: apksigner verify --print-certs gplay-tchap-withdmvoip-withpinning-arm64-v8a-v2.11.6-signed.apk

The private key is not shared. If you need more information please contact the support of Tchap :
support@tchap.beta.gouv.fr.