electrum-web icon indicating copy to clipboard operation
electrum-web copied to clipboard
verified publisher icon spesmilo

Feature Request: signed manifest.asc containing the .apk hashes, to verify GPG sigs directly on Android

Open Scollop355 opened this issue 8 months ago • 4 comments

I request a signed manifest.asc containing the .apk file hashes which my "OpenKeyChain" App on Android can read.

The current listed .apk files on the Electrum websites can only be verified using a P.C. I don't have a P.C.

I can then verify the Electrum .apk downloads prior to installing rather than trust a Electrum Web site or GooglePlay download which is less safe.

UPDATE Well, 29days passed and no response. So your fine with .APK files being installed from your website on android but offering no way to check the signatures on those .apk files in Android which can easily be done with a downloadable signed manifest.asc

Your clearly don't take security seriously and have no concerns about users losing funds.

Scollop355 avatar May 01 '25 14:05 Scollop355

Well, 29days passed and no response

This is a free software project. You are welcome to contribute.

Could you at the very least include an example of such a manifest file?

SomberNight avatar Jul 16 '25 22:07 SomberNight

Heres the info to help explaine what I mean so hopefully you can offer the same option to us Android users with no P.C so we can verify your released Electrum .apk using Android.

Example A signed file by developer's of green wallet that contains hashes for the Android App

SHA256SUMS.asc https://github.com/Blockstream/green_android/releases/tag/release_5.0.6

The SHA256SUMS.asc can be opened on Android with an app called OpenKeychain which verify they are signed by the developer. You select the SHA256SUMS.asc file in Android and select "Decrypt with OpenKeychain" The app then confirms if the files has been signed by the developer (using the imported public key) and shows the hashes for the file which can be matched using app "hash checker" on Android.

see attached image of OpenKeychain.

hope this helps.

Image

Image

Scollop355 avatar Jul 25 '25 16:07 Scollop355

Ok, so the example manifest file looks like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

c3b791f60d287769a36aa6c9c447d5ef62fd270b2e5a1a5185532b2a22ad1a03  ./BlockstreamGreen-v5.0.6-productionGoogle-release.apk
806194ad63c64697970b2c0aecf8560d298cefc1bafa857b8b358dcd6de05139  ./BlockstreamGreen-v5.0.6-productionGoogle-release.apk.idsig
b84a3b45f443439c45f0ed7e7d31d1f72bf09a2b70635a0d79374cd7a1b3f10a  ./tmp_.apk
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBL6/LjWiry/98fpd5/BUqi5255IFAmhkHBsACgkQ5/BUqi52
55LaThAAucC017NTa8qWwdydyrwqtyVT9R1yjCXFUhHKCy/V92964rkOxMOiuxN7
cZZcl8eFE0VjcB/nql+lSIyaRltEYr6MMZ3CsGhrVuHryWIBO4si4fszCN7PQ++3
WvX4XWcIG1c9qi9k+GwNg+DQYNfOXeCelV0A8Qlvpb8DbpduYp3Va+dGwx9M1Gxk
AoMg5WmPGGx2f9CmaSdKO2GVp0DHDDXLAiJ0f0TXkfwy4NyEonry9hHps9wAhiQt
wvG/UvkNVFCF9dBvIqDXm8N8fJitWrK7oyc1L2mK6M4jN+kQLiRlGDD5qcUagTH3
3csDDN4uIk++mE5X4eBC9k1zmsSJC1qZsAr9NywwJTauPN5r3xCn46aKk53XXIHs
WI+G6N46fyMYf+UOMXa9YiQRpQgGmQ+ZwVaTAeyyfqjYhTN+9Qv6lAI5upb0XSfl
Vms5uhuVuMQS8XNcpnYiKNYa9Ykopd4uddpBam4aVN5js6I883o4Lwkex27eQv12
+g+AXKax4GPB+CLBJJwYVhfrMQym/XwavQwrkcGZH0cbL2mwFlPo0TqjkHseAMHG
n8HsjUdPViB0JlxaZPLFKhT2jpIOUuFVJNTWofy66Ysqo9JNksbAaq6VazePugxR
8LHa/BNrkws/70Kxjq8n7Sm0GqJS4DiZrGZAup3QAmbXPs2ZrfQ=
=UwR3
-----END PGP SIGNATURE-----

Basically it's a list of release files and corresponding hashes, and then the whole thing is GPG-signed.

The issue then is that by design we don't have/want a single authoritative GPG key to sign release files with. If you follow the "Signatures" link on the Download page, it links to a file that contains multiple signatures by different keys/people for the same file, which gpg can parse. https://github.com/spesmilo/electrum-web/blob/ea9e4bb1be88e64e4c129f0926e1974a75630f98/index.html#L101

I guess what we could potentially do is have one manifest per signer/builder: SHA256SUMS.Emzy.asc, SHA256SUMS.ThomasV.asc, etc. These could commit to the hashes of all release binaries, not just the android apks. To avoid the confusion between the different formats, and because these manifests don't fit into the table on the download page anyway, we could list them only on download.electrum.org.

SomberNight avatar Jul 26 '25 03:07 SomberNight

O.K Thanks. I have found an Android App called apk analyzer which can read an apk file and show the sha256 certificate signed by Thomas Voegtlin as shown in the zttached image. This will do for now until I aquire a mini P.C to do the 3 signature method via Kleopatra.

Image

Scollop355 avatar Jul 27 '25 14:07 Scollop355