Tuta SHA256 not matching

MotherShipton

I am trying to install Tuta app using Obtanium. I am using the web address:
https://github.com/tutao/tutanota/releases

The SHA256 given by Tuta on the above page for the apk (tutanota-app-tutao-release-271.250224.0.apk) is:
732f6ec60b2c35f7740b812885e82ace56fae18dadb79e4d0110411afe9249ce

When Obtanium installs, I go to AppVerifier and get a failure report. AppVerifier says the SHA256 should be: B4:54:C1:76:F9:0A:1E:A0:57:29:87:D3:82:72:3B:5C:D7:4F:94:2A:79:37:A2:A0:B9:9A:36:80:69:14:88:50

Not even close. Anybody able to offer some insight?

fluxcondensator

MotherShipton Maybe the github and play version are different releases and thats why.

IcyScroll

MotherShipton The SHA256 given by Tuta on the above page for the apk (tutanota-app-tutao-release-271.250224.0.apk) is:
732f6ec60b2c35f7740b812885e82ace56fae18dadb79e4d0110411afe9249ce

Tuta seems to be providing SHA256 of the .apk file. This can only be used to verify if the downloaded file hasn't got corrupted during download.

AppVerifier uses SHA256 of the public app signing (RSA) key. This can be used to verify that an app was signed by this specific key - allows to verify source, not integrity.

de.tutao.tutanota
B4:54:C1:76:F9:0A:1E:A0:57:29:87:D3:82:72:3B:5C:D7:4F:94:2A:79:37:A2:A0:B9:9A:36:80:69:14:88:50
Is fine.

App Manager has an apk scanner enabling users to check both .apk and certificate hashes from weak MD5 all the way to SHA512. You might find it useful to visualise what I said here.

io.github.muntashirakon.AppManager
32:0C:0C:0F:E8:CE:F8:73:F2:B5:54:CB:88:C8:37:F1:51:25:89:DC:CE:D5:0C:5B:25:C4:3C:04:59:67:60:AB
Don't trust just this hash, cross-verify whenever possible!

r134a

I have version 271.250224.0 installed through obtanium, while checking with app verifier the hash indeed is:

B4:54:C1:76:F9:0A:1E:A0:57:29:87:D3:82:72:3B:5C:D7:4F:94:2A:79:37:A2:A0:B9:9A:36:80:69:14:88:50

There are also releases available on the release page for tuta calendar, are u sure u didn't get the calendar app instead?

r134a

r134a Oh, just checked it on their github and indeed the hash they provide for version 271.250224.0 is

732f6ec60b2c35f7740b812885e82ace56fae18dadb79e4d0110411afe9249ce

However i have this version aswell and appverifier gives me:

B4:54:C1:76:F9:0A:1E:A0:57:29:87:D3:82:72:3B:5C:D7:4F:94:2A:79:37:A2:A0:B9:9A:36:80:69:14:88:50

Now that i think of it, it could be that my first installation of the tuta app was through vanadium (before i started using obtanium) downloaded from their github. Not sure anymore, i don't think so aswell, as i generally don't allow app installs from different sources, but there's a slight chance. Nevertheless the app is updated through obtainium for several months now. Not sure this info is relevant but i though it might be.

Edit: discard anything above, the answer is provided by @IcyScroll

AppVerifier uses SHA256 of the public app signing (RSA) key. This can be used to verify that an app was signed by this specific key - allows to verify source, not integrity.

IcyScroll

IcyScroll Tuta seems to be providing SHA256 of the .apk file. This can only be used to verify if the downloaded file hasn't got corrupted during download.

For some reason it's a rather common practice. For example, Neo Store does this as well. I have no idea why they don't provide hashes of the public app signing key as well. It should be as easy as using this command:
apksigner verify --print-certs [name].apk
What they currently do is SHA256SUM [name].apk

MotherShipton

IcyScroll Thanks for your input. The AppManger looks like a very useful app on my slow way to understanding these things.