Longtime lurker, first post. I'm transitioning to a new Pixel+GOS and have been reading on chain of trust. Until Accrescent is mirrored on GOS, is this a reasonable and optimized chain of trust?
Steps I followed (skill level = enthusiast):
Setup a new Ubuntu VM on Linux desktop.
Download Accrescent.apk from Acresscent site.
In terminal, verify the apk with apksigner, compare the signing certificate hash to those listed on Github, X and the website.
Search on apkmirror.com for the signing certificate hash to see what else is signed with that hash. (This step probably not needed? I read about doing and tried it).
Sideload Accrescent.apk to Pixel.
Download APKverifier from within Accrescent on Pixel.
Download Obtanium from Github in Ubuntu VM on desktop.
In terminal, import Imran's PGP key, verify the sig. Verify Obtainium with APKsigner also.
Will now use Obtainium to obtain other apps.
Was both integrity AND identity verified for Accrescent.apk?
I know a weakness here is that I've used a computer to verify apks for GOS.
Should I just park this phone until Accrescent is mirrored in Apps on GOS and will be verified with Auditor?
Any tips?
Thanks