Android app based software verification
Difficulty: Intermediate
Sovereignty: High
Though this method of software verification is easy to follow, it may require you to have a small amount of existing software verification knowledge to grasp exactly what you are doing, and what you are achieving when following each step.
The benefit of following this guide is that all verification steps are carried out locally on your Android device which gives you more sovereignty over each operation, and minimizes trust on third-parties. Additionally by importing the developer's PGP public key into your device, it is ready to be used again for verifying future software releases.
Prerequisite
Download and install the following Android mobile applications:
- OpenKeychain
- HashEasily
- Tor mobile browser (mandatory)
Note: it is not required to grant OpenKeychain or HashEasily network permissions when installing on your mobile device.
Part #1: Verifying PGP Signed Message
Import developer's PGP public key
- Using the Tor browser mobile application, navigate to Ashigaru Dev's Keybase profile:
- Keybase Ashigaru Dev - Tor .onion URL
- Copy to clipboard the "ashigarudev's public key"
- Launch the OpenKeychain mobile application
- Tap the plus "+" icon, then select "Import from File"
- Tap the three dots "⋮" icon in the top right corner, then tap "Read from clipboard"
- Tap "IMPORT" to add the Ashigaru Dev PGP Key to your OpenKeychain app
Verify PGP signed message of software release
- Using the Tor browser mobile application, navigate to the Ashigaru Downloads page
- Copy to clipboard the "SHA-256 Hash of the APK file"
- Launch the OpenKeychain mobile application
- Tap the icon in the top left to expand the menu
- Tap "Encrypt/Decrypt"
- Tap "Read from clipboard"
Successful result ✅
Successful verification is confirmed if the following is displayed on screen:
- "Signed by unconfirmed key"
- "Ashigaru Dev
Key ID: a138 06b1 fa2a 676b"
Example:
This confirms the "SHA-256 Hash of the APK file" was signed by Ashigaru Dev's PGP Key.
After confirming a successful result, continue to Part #2
Unsuccessful result ❌
If the "SHA-256 Hash of the APK file" was not signed by Ashigaru Dev's PGP Key, any of the following will be displayed:
- "Signed by unknown public key"
"<no name>" - "Encountered an error reading input data!"
- "Not Encrypted"
"Invalid signature"
or
- Any other result other than what is stated in the "successful result" section
Examples:
In the event of an unsuccessful result, you should stop immediately. Do not continue to Part #2. Do not install the software application. Seek advice from a community member.
Part #2: SHA-256 Hash Verification
Download the Ashigaru software file
- Using the Tor browser mobile application, navigate to the Ashigaru Downloads page
- Download the Ashigaru APK file to your Android device
Hash the file
- Launch the HashEasily mobile application
- Tap "SELECT FILES"
- Select the Ashigaru APK file downloaded in the previous step
- Tap the "SHA-256" button
After the application has completed this operation, displayed on screen is:
- Name of file. In this example:
ashigaru_v0.0.5.apk
- SHA-256 hash output. In this example:
2894483df87230c5772fbe5a12d8f456e417bd13eff2fddd776666b577efe041
Compare hash outputs
Visually compare the SHA-256 hash output from the HashEasily application is an exact match of the SHA-256 hash in the "SHA-256 Hash of the APK file" from Part #1.
Successful result ✅
Successful verification is confirmed if:
- Both SHA-256 hashes are the same
Example:
This confirms the APK file you have downloaded is the same file publicly released by the developer in control of the Ashigaru Dev PGP Key.
After confirming a successful result, continue to install the Ashigaru mobile application.
Unsuccessful result ❌
If the two SHA-256 hashes do not match, this means the APK file you have downloaded is not the same file which has been publicly released by the developer in control of the Ashigaru Dev PGP Key.
In the event of an unsuccessful result, you should stop immediately. Do not install the software application. Seek advice from a community member.