Describe the feature
The maintainers should provide the same app signature, which is already available in the readme, through different communication channels. Such as the website's downloads page, or a pinned message in the discord or telegram group.
Reason for adding
The project already provides the app's signature in the repo's readme. While this is an improvement over not providing it at all, a malicious actor with access to upload a different set of apks to the repo could also modify the signature in the readme, making it essentially useless as a measure against malicious actors. Which is, I assume, the reason the signature is included in the first place. So, providing the app's signature through different channels would help mitigate this issue, as users would be able to compare the signatures to ensure the apk is safe to use.
Example(s)
https://github.com/accrescent/accrescent?tab=readme-ov-file#signing-certificate-hash
Be sure to check it against the hashes on our website and Twitter to verify its legitimacy.
Additional context
No response
Describe the feature
The maintainers should provide the same app signature, which is already available in the readme, through different communication channels. Such as the website's downloads page, or a pinned message in the discord or telegram group.
Reason for adding
The project already provides the app's signature in the repo's readme. While this is an improvement over not providing it at all, a malicious actor with access to upload a different set of apks to the repo could also modify the signature in the readme, making it essentially useless as a measure against malicious actors. Which is, I assume, the reason the signature is included in the first place. So, providing the app's signature through different channels would help mitigate this issue, as users would be able to compare the signatures to ensure the apk is safe to use.
Example(s)
https://github.com/accrescent/accrescent?tab=readme-ov-file#signing-certificate-hash
Additional context
No response