Best practice for installing Obtainium from Github

bootloader

Does anyone know a good guide/any other source about what is the most secure way to install Obtainium? I have some experience with checking integrity of softwares, like checking shasum and basic understanding of signatures, but I am confused here. What version should I install on my GrapheneOS?
I see an .apk, .apk.idsig, apk.sha256 and apk.sha256.sig within every release: https://github.com/ImranR98/Obtainium/releases/tag/v1.1.15
What is the right method to download and verify their app? How or where can I learn about this?

ErnestThornhill

bootloader "app-arm64-v8a-release.apk" is what you want. You can use AppVerifier for verification. https://github.com/soupslurpr/AppVerifier.

Dumdum

bootloader
The best/easiest way is to install Accrescent from Graphene's App Store, then install App Verifier from Accrescent. Once App Verifier is installed, you can download the Obtainium APK but do not install it. First open App Verifier, select Verify APK file and choose the Obtainium APK. It should confirm under Status that its safe, then you can install.

astromox

Dumdum
Thanks for these instructions. I tried to follow exactly this. However, App Verifier shows the following:

Under "Internal Database Status" it shows "Success".
Under "Verification Status" it shows "Unknown".

I did try to download the apk.sha256 file from the release, opened it in a text editor, copied it, and in App Verifier chose "Verify from clipboard". This results in the "Verification Status" changing to "Failure".

Is that not the right method? Do the apk.idsig or apk.sha256.sig files need to be used somehow?

@bootloader when you tried this method did it work for you?

bootloader

@Dumdum @ErnestThornhill thank you! I just got and started to play with the App Verifier maybe a day ago, good to see that it's becoming handy so fastly.

ilovezano

Hello,

on windows i use these tools(apksigner, HashTab or 7zip)for helping verifying apk for obtainium beside AppVerifier

apksigner.jar --> https://developer.android.com/tools/apksigner#usage-verify
also helpful (https://stackoverflow.com/questions/26739114/android-studio-sdk-location)
you need to have android studio installed or build-tools to be able to use apksigner.jar

https://mirrors.cloud.tencent.com/AndroidSDK/
build-tools_r35-rc4_windows.zip

open build-tools location because you have to provide path to apksigner.jar in terminal
when you found the apksigner.jar, right click on file explorer and select open in terminal
(path looks like this as example→ build-tools_r34-rc2-windows\android\lib\

in terminal you can use this command

java -jar apksigner.jar verify --verbose --print-certs "Z:\graphene\obtainium\app-arm64-v8a-release.apk"

of course change this to your location of your apk file ("Z:\graphene\obtainium\app-arm64-v8a-release.apk" )

the output should be something like this:

Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: CN=Imran Remtulla, OU=Unknown, O=Unknown, L=Toronto, ST=Ontario, C=CA
Signer #1 certificate SHA-256 digest: b353601f6a1d5fd6603ae2f50be80cf301367b86b6ab8b1f66243da96cd57362
Signer #1 certificate SHA-1 digest: 2a92adb6e9e1bbc0d45a8ababec944d5d6d2e0bf
Signer #1 certificate MD5 digest: 73fcac941bd8d7d68e68d6cac00bb943
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 813b383ddc3c2b3b647bb2c5131a46c371ebac9f886841c5cd641ac5853429b3
Signer #1 public key SHA-1 digest: df4c54db8d27078a16efbd3ad57c2ec1459bf2b1
Signer #1 public key MD5 digest: a605277934a63bece514b0bda82b3df9

java -jar apksigner.jar verify --verbose --print-certs "Z:\graphene\cake-wallet\Cake_Wallet_v4.20.1-arm64-v8a.apk"

you should get something like this:
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: CN=Magic, OU=IT, O=Cake Wallet LTD, L=New York, ST=New York, C=US
Signer #1 certificate SHA-256 digest: c54053ab0f10d9541762a3da7665ae3dba5e7c743ab4f108a5349d62ac106ef5
Signer #1 certificate SHA-1 digest: 8c5deda3ae734bd9075993d59f1db57f03c8fbec
Signer #1 certificate MD5 digest: 1532162014fe472f6d03feac32c42bda
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 6d78fc63d9e5d1b5f605465abe3dc7fb0fdf6cecfa46662776455b57f69ab7e2
Signer #1 public key SHA-1 digest: 8c7d88d1981d490799c35b4822076d40cfb55cbd
Signer #1 public key MD5 digest: 3153b404e83b1482aa0147202850578d

what your are searching is this:
Signer #1 certificate SHA-256 digest: b353601f6a1d5fd6603ae2f50be80cf301367b86b6ab8b1f66243da96cd57362

this is what you wanna "verify from clipboard"
for me its the same as shown in AppVerifier, if you send it to your phone and select verify from clipboard you get success

if I would have used Hashtab I wouldnt get this Signer #1 certificate SHA-256 digest, because its something different, you need to verify it with apksigner.jar

ilovezano

If i want to install cake wallet from github, where I found also the sha256 hash https://github.com/cake-tech/cake_wallet/releases
there i find:
=== SHA 256 ===
Cake_Wallet_v4.20.1-arm64-v8a.apk:
ffa6a09510705eae1d1de17e54acbcac006e77f98261abe818241ecf6de827fa

i put in app url source -> https://github.com/cake-tech/cake_wallet/
then i click on install and select to share info with AppVerifier

I get this

Internal Database Status: NOT FOUND
Cake Wallet
com.cakewallet.cake_wallet
c5:40:53:ab:0f:10:d9:54:17:62:a3:da:76:65:ae:3d:ba:5e:7c:74:3a:b4:f1:08:a5:34:9d:62:ac:10:6e:f5
Share/Copy Verification Info
Verify from clipboard
Verification status: unknown

I verify it with apksigner.jar
java -jar apksigner.jar verify --verbose --print-certs "Z:\graphene\cake-wallet\Cake_Wallet_v4.20.1-arm64-v8a.apk"

Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: CN=Magic, OU=IT, O=Cake Wallet LTD, L=New York, ST=New York, C=US
Signer #1 certificate SHA-256 digest: c54053ab0f10d9541762a3da7665ae3dba5e7c743ab4f108a5349d62ac106ef5
Signer #1 certificate SHA-1 digest: 8c5deda3ae734bd9075993d59f1db57f03c8fbec
Signer #1 certificate MD5 digest: 1532162014fe472f6d03feac32c42bda
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 6d78fc63d9e5d1b5f605465abe3dc7fb0fdf6cecfa46662776455b57f69ab7e2
Signer #1 public key SHA-1 digest: 8c7d88d1981d490799c35b4822076d40cfb55cbd
Signer #1 public key MD5 digest: 3153b404e83b1482aa0147202850578d

again this is what im looking forcompared to AppVerifier, its the same
Signer #1 certificate SHA-256 digest: c54053ab0f10d9541762a3da7665ae3dba5e7c743ab4f108a5349d62ac106ef5

but where is the
=== SHA 256 ===
Cake_Wallet_v4.20.1-arm64-v8a.apk:
ffa6a09510705eae1d1de17e54acbcac006e77f98261abe818241ecf6de827fa

on my windows machine i have HashTab_v6.0.0.34_Setup.exe installed, when i right click on the apk and go to properties, theres a Tab: File Hashes

compare it with sha256 from github
and I get success message its the same value

or use 7zip
1.right click on apk then chose CRC-SHA then chose SHA-256 → Cake_Wallet...apk.sha256
now you have a apk.sha256 file open it and compare it with sha from github