Signal's SHA256 fingerprint is mismatching

wtfguy

Has anyone recently noticed that Signal Website's (www.signal.org/android/apk) SHA256 has recently been changed and is now mismatching the APK's actual fingerprint?

I used the Wayback Machine to verify it's not my downloaded APK that's tampered.

https://web.archive.org/web/20240703053953/https://signal.org/android/apk/

Website: 4B:E4:F6:CD:5B:E8:44:08:3E:90:02:79:DC:82:2A:F65A:54:7F:EC:C2:6A:BA:7F:F1:F5:20:3A:45:51:8C:D8

APKsigner: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26

matchboxbananasynergy

They switched to Play app signing recently. It's possible they haven't updated the hashes.

wtfguy

The website's hash was updated.

matchboxbananasynergy

You can use https://github.com/soupslurpr/AppVerifier to check.

wtfguy

matchboxbananasynergy funny enough that one was outdated as well.

wtfguy

https://community.signalusers.org/t/recently-published-sha256-fingerprint-mismatching/61914

fid02

wtfguy So was this fixed by updating apksigner to the latest version?