Skip to main content

Software Verification

Verification overview

Verifying software before you install it is essential to ensuring you have downloaded the exact file which has been created and published by the developer of the project.

Each Ashigaru software release (e.g. .apk file) is accompanied by a PGP signed message. The PGP signed message contains a SHA-256 hash of the corresponding software release.

Verifying a software release is therefore a two part process:

Part #1: Verifying PGP Signed Message

Using a PGP application, verify the PGP signed message has been signed by the Ashigaru Dev PGP Key.

Part #2: SHA-256 Hash Verification

For the software you have downloaded locally to your device (e.g. the .apk file), hash the file using a SHA-256 algorithm. Verify the hash output from this operation matches the hash contained in the PGP signed message from Part #1.


Verification Methods

There are various ways to verify software depending on which operating system you are using, and which applications are available to you. These documentation pages guide you through two methods using an Android device:

Method 1 - Mobile browser based software verification

Difficulty: Beginner
Sovereignty: Low

Method 2 - Android app based software verification

Difficulty: Intermediate
Sovereignty: High


First time download & install

It is recommend the first time you download the Ashigaru APK file, prior to installing you carry out Part #1 and Part #2 to verify the software release, following either the Method 1 guide or Method 2 guide.

Updating the Android application

Once you have installed the Ashigaru mobile application, for subsequent app updates carrying out software verification is not essential, and you may skip straight to updating the application by tapping on the newly downloaded APK file in your Android files, then tap "Update".

Android will not allow the Ashigaru application to be updated unless the new APK file uses the same unique developer Java KeyStore*.

This is of course up to you, and you may choose to carry out software verification for every Ashigaru mobile application release prior to updating.

If when attempting to update the existing Ashigaru application on your Android device you are presented with the on-screen option to tap "install" rather than tap "update", stop immediately. Do not proceed to install the application. It is likely the APK you have downloaded is malicious and was not released by the Ashigaru Open Source Project. If this occurs please consider reporting this to the Ashigaru Open Source Project via the official contact method here, and include in your correspondence the source of where you downloaded the APK file from.

*The Java KeyStore can be thought of like a unique key which is used when building an APK. Only Ashigaru Dev has access to their unique Java KeyStore used to create the official Ashigaru APK release. This prevents any third-party attempting to build a malicious version of Ashigaru with the same application ID and dupe you into updating your existing mobile application, as they (the "third-party") will not have the same Java KeySore as Ashigaru Dev. Therefore if you attempt to update an existing Ashigaru application with an APK file that uses a different Java KeyStore, Android will prevent the existing application from being updated and report on-screen "App not installed as package conflicts with an existing package".

Example:

If this occurs please consider reporting this to the Ashigaru Open Source Project via the official contact method here, and include in your correspondence the source of where you downloaded the APK file from.