Mobile browser based software verification

Difficulty: Beginner
Sovereignty: Low

This is the easiest and most simple method of software verification, requiring minimal effort to perform, and allows you to gain trust in the software you have downloaded before installing.

This method requires the use of online services/tools rather than performing operations locally on your device, and as such is not as sovereign. However this is still an effective method of software verification and should be the bare minimum of what every individual should carry out prior to installing an APK application for the first time.

Prerequisite

Download and install the following Android mobile application:

• Tor mobile browser (mandatory)

Part #1: Verifying PGP Signed Message

Copy PGP Signed message

1. Navigate to the Ashigaru Downloads page
2. Copy to clipboard the "SHA-256 Hash of the APK file"

Verify PGP signed message on Keybase

1. Using the Tor browser mobile application, navigate to the Keybase online verify tool:

• Keybase Verify Tool - Tor .onion URL

2. Paste the contents of your clipboard into the textbox
3. Tap "Verify"

Successful result ✅

Successful verification is confirmed if the following is displayed on screen:

• "✔ Signed by ashigarudev"

Example:

When tapping on "ashigarudev", this will navigate you to the official Ashigaru Dev's Keybase profile which should look identical to the following:

This confirms the "SHA-256 Hash of the APK file" was signed by Ashigaru Dev's PGP Key.

After confirming a successful result, continue to Part #2

Unsuccessful result ❌

If the "SHA-256 Hash of the APK file" was not signed by Ashigaru Dev's PGP Key, any of the following will be displayed:

• "Error: Keybase doesn't have the public key that signed this message"
• "Error: checksum mismatch"
• "Error: hash mismatch"
• "Error: Bad line in clearsign header"

or

• Any other result other than what is stated in the "successful result" section

Examples:

In the event of an unsuccessful result, you should stop immediately. Do not continue to Part #2. Do not install the software application. Seek advice from a community member.

Part #2: SHA-256 Hash Verification

Download the Ashigaru software file

1. Using the Tor browser mobile application, navigate to the Ashigaru Downloads page
2. Download the Ashigaru APK file to your Android device

Hash the file

1. Using the Tor browser mobile application, navigate to the hash-file online tool:

• Hash-file online - URL

2. Tap "Browse"
3. Select from your Android files the APK you downloaded earlier
4. Select "SHA-256 | 256-bit" from the hash function options
5. Tap "Launch hash process"

After the tool has completed this operation, displayed on screen is:

• Name of file. In this example:
  ashigaru_v0.0.5.apk
• Your file hash (SHA-256 hash output). In this example:
  2894483df87230c5772fbe5a12d8f456e417bd13eff2fddd776666b577efe041

Compare hash outputs

Visually compare the SHA-256 hash output from the hash-file online tool is an exact match of the SHA-256 hash in the "SHA-256 Hash of the APK file" from Part #1.

Successful result ✅

Successful verification is confirmed if:

• Both SHA-256 hashes are the same

Example:

This confirms the APK file you have downloaded is the same file publicly released by the developer in control of the Ashigaru Dev PGP Key.

After confirming a successful result, continue to install the Ashigaru mobile application.

Unsuccessful result ❌

If the two SHA-256 hashes do not match, this means the APK file you have downloaded is not the same file which has been publicly released by the developer in control of the Ashigaru Dev PGP Key.

In the event of an unsuccessful result, you should stop immediately. Do not install the software application. Seek advice from a community member.