GrapheneOS There is a good chance that I am talking out of my ass and don't know what I am talking about, so please excuse me if that is the case.
Where do you plan to get the key fingerprints for apps in order to check it that it's correct for the initial install?
Accrescent may be a good example actually. If you look on their website it says in FAQ
How can I verify my download of Accrescent is legitimate?
Accrescent's signing certificate hash can be verified by using apksigner with the --print-certs option. Certificate hashes are published here, on GitHub, and on Twitter.
You should check the certificate hash from a different source than you got the app from. For example, if you download Accrescent from GitHub, you should verify the certificate hash from Twitter or this website to distrust the server.
Signing certificate hash: 067a40c4193aad51ac87f9ddfdebb15e24a1850babfa4821c28c5c25c3fdc071
Signal posts their hash as well on their website
You can verify the signing certificate on the APK matches this SHA256 fingerprint:
29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0
EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Both projects link to apksinger, in the android-suit to check hashes. I was asking about a feature where you could do this directly on Graphene. For example, you go to Accrescent's website on your Graphene device, download the apk, then use a tool to check the hash, compare it to the one they posted, and if it matches then you know it's legit, if not then you know it's not.
I interpret this to mean, you have to download the app onto your computer, use apksigner to validate, then transfer it to your phone some how. Now I could be totally mistaken and missing something, that's why I was originally asking.
How does this hold you back from using GrapheneOS?
I was thinking about potentially just using the apks and not using Google services but I don't know how I could go about verifying the apk other then using apksigner on a computer. It would be significantly easier to have that feature built into Graphene. I thought that was what the Github issue I posted above was alluding to. I understand it may not be a huge priority so it isn't ultimately a big issue. I was just curious is all
TL:DR Does GrapheneOS have a built in tool to validate apk hashes directly on device before installing them to check if it legitimate, if not, is it a feature in development or a potential future feature? How would Graphene recommend verifying apk's before installing without said feature?