feat: Add signature hash to README.md

[quixaq]

Feature description

Provide a SHA-256 signature hash in README.md so it can be verified with apksigner or with https://github.com/soupslurpr/AppVerifier

Motivation

This should be added because it makes anyone able to verify if the app is actually Revanced Manager and would make it more secure to sideload it.

Acknowledgements

• [x] I have checked all open and closed feature requests and this is not a duplicate.
• [x] I have chosen an appropriate title.
• [x] The feature request is only related to ReVanced Manager.

[validcube]

I'm not sure if it's a good idea to add another verification when we already have a better way of doing it through GitHub Attestation using SLSA. You can run an SLSA provenance check on the app to check if it's authentic or not. (This repository is SLSA 1.0 Level 2 compliant)

See: https://github.com/ReVanced/revanced-manager/attestations

[quixaq]

All needed to verify the signature is a SHA-256 hash of the signing certificate, you don't have to set up anything and unlike the SLSA provenance check, verifying the signature of an app can be done if the app is already installed too. Android already verifies the signature on updates however it blindly trusts the signature of the file that was installed. Play Store and for example https://accrescent.app/ already verify the signature, however for sideloading you need to have the hash of the signature first if you want to verify it.

[oSumAtrIX]

We consistently sign assets via GPG keys on our repositories. Compose manager branch already incorporates this too. For reference, check the patches repo release assets.

The signing key won't be hard coded into the readme because the source code is agnostic to the signatory, which is environment specific. The signing key is only used in the release workflow and not embedded in the source code. If you embed the hash of the signing key, it wouldn't match forks that would setup their own key in their own env which is proof of wrong design.

That said, assets are consistently signed across our organization and you can use revanceds signing key to verify them. This way all assets are equally treated as arbitrary blobs and thus can all be verified the same way, instead of each repository incorporating its own signature system (like android).

[Axelen123]

On Android, you should be relying on the Android way of verifying Android apps. The README is not source code and already links to environment specific things like revanced.app. Mismatcing signatures is a non issue for forks that are only intended for submitting upstream PRs and forks that intend to replace our project can trivially remove our signature or replace it with their own. An alternative way to publish the expected signature would be through the website.

[oSumAtrIX]

On Android, you should be relying on the Android way of verifying Android apps.

On Android it already does exactly that. This here, is not Android.

The signature should not be published on the readme. No repo does it, neither is it needed. Signature verification systems are behind the scenes and the signature file is uploaded as an asset respective to the release asset.

If you want to verify assets manually you can use the public key of ReVanced, but for that we'll need a whole system, not just a quick readme change.

The Android signature is not needed here at all, because we sign the asset as an arbitrary file with our signing key. On the android platform the signature handles the rest

[Manasvi05Dadhich]

Can i work on this?

[Ushie]

Can i work on this?

Hi, this is more discussion than work, at the moment there's no implementation in mind