Verifying apks with sig file (e.g. yubico authenticator)

rfm

Hey all,
I have a question regarding verfifying apks (received via obtainium) if they don't provide a certificate hash but a sig file. The app in question is the yubico (yubikey) authenticator app, which is used to read TOTP from a yubikey. The app is open source on their GitHub including releases with the built apk, so I could install it without Google play. However I do not find the developer's certificate sha-256 to verify it with appverifier (also not in its database).
Since they provide a sig file, after a bit of research, my idea was to download the apk with the sig on my PC, verifiy the authenticity of the app as described with gpg. After I am sure that this apk is fine, I read that I can extract the certificate hash from it with apksigner verify. With this hash I could then verify the apk with obtanium+appverfifier on my phone. Am I missing anything or is this really the closed loop I am thinking it is? If this is a valid and secure approach I could use it for some other apps that provide signature files but no certificate hash.

Novalissoide

rfm Here's the signing hash when installed from Sandboxed Google Play:
com.yubico.yubioath
3E:21:DA:5A:CA:A8:D4:9C:E5:15:B1:C6:D2:A1:90:3B:AE:29:8D:09:11:43:2C:55:E7:5A:19:61:99:F2:B9:A0

And here's from the Github release:

com.yubico.yubioath
3E:21:DA:5A:CA:A8:D4:9C:E5:15:B1:C6:D2:A1:90:3B:AE:29:8D:09:11:43:2C:55:E7:5A:19:61:99:F2:B9:A0

So in this case, they are identical.

Novalissoide

rfm what do you use for apk.sig-files?

rfm

Thanks, it's also the same I extracted, so this seems to work. They provide sig files on their GitHub alongside the apk and also on the relase site
https://developers.yubico.com/yubioath-flutter/Releases/
(there is also the instructions I followed to verfiy).

Novalissoide

rfm I tried the .sig-file with haibison.apksigner but didn't manage to make it do anything.
Nice it worked for you anyway. 🫡

rfm

No, with the sig file I just verified that the apk from github is signed by the devs (see the instructions on top of the posted release page), before extracting the signing hash from it as you did with the one from playstore.

Novalissoide

rfm Thanks. I'll look into the practice tomorrow.