How can I verify the APK files when installing Threema for Android?
Threema for Android’s APK files are cryptographically signed by Threema. Android ensures that only updates that have been signed with the same key as the app already existing on the device can be installed. This ensures that no tampered updates can be installed.
If you also want to verify the initial installation, you have to check the public key hash using apksigner:
$ANDROID_SDK/build-tools/$BUILD_TOOLS_VERSION/apksigner verify --print-certs -v $APK_FILE
Threema uses the following Public Keys:
Public key SHA-256 digest: 269d600e1ce7e0a7ffddb18fb92251092938f5be38ea1113e29213564b32cb44
Public key SHA-1 digest: 07008ff982a9274c88d53454bd69aeb0ebc67727
Public key SHA-256 digest: 8042eee413093ad651a391da2ac5799ae1744a09fb44056d1fc2f1911a052e39
Public key SHA-1 digest: ed6aa31b8b08ff74b54e096805fadf6443d3a823
