Just to be clear, for myself and others who are new, this whole thread should essentially be taken with a grain of salt, theoretically, correct? My layman understanding is:
When using appverifier and obtanium, obtanium will download the apk and then forward you onto appverifier sharing the apk signing fingerprint of the file you just downloaded. At which point appverifier will either tell you it matches their internal database (of proven signing keys from developers) or tell you to verify yourself; where the user then needs to find a reputable source for the developers signing key fingerprint/hash/thing.
So, people on this thread could be downloading the same apk's and have matching fingerprints, yet they both are malicious.
AppVerifier has done its job by having a trusted chain via graphene->accrescent->itself on user's device; so the user has a trusted way to verify, the user just needs to ensure they have the authentic developer signing certificate at that final step of "verify from clipboard". Which is where this thread can be useful, if you trust the fingerprints users are posting 😅
Is this correct?