@matchboxbananasynergy
Do you have thoughts on best practice for verifying AppVerifier, in a way that is accessible to non-CLI users? Bit of a "chicken or egg" problem.
For instance, if the user obtains the AppVerifier apk from Github Releases, installs it, and retroactively uses Appverifier to display the fingerprint of the apk they just installed, they can't really trust that it's showing them the true fingerprint. If AppVerifier was available on Google Play that could be the root of trust, but it's not. It's available on Accrescent, but this just moves the same problem to another apk because you need a (non-CLI) way to verify the authenticity of the Accrescent apk...