Include SHA-256 Hash of Developer App Signing Key in README

[shrimprugbysnowowl]

Checklist

• I have used the search function to see if someone else has already submitted the same bug report.
• I will describe the problem with as much detail as possible.

App

Thunderbird for Android

App version

8.1

Where did you get the app from?

Other

Android version

13

Device model

No response

Steps to reproduce

Thunderbird offers a direct apk download option for Thunderbird Mail for Android from github as well as being hosted in the fdroid official repo. The app hosted in fdroid is built and signed by the fdroid developers, which some view as a security issue. Apps like Obtainium are becoming more popular and allow users to track updates to apps and directly download the apk from github, but those users should have a way to verify that the build was signed by the developer. Posting the sha-256 hash of the developer's app signing key in multiple locations on which changes could be detected, such as in the project README (possibly under the Security heading) and on the Thunderbird website, would limit future tampering.

Based on the latest apk, the hash appears to be:
B6:52:47:79:B3:DB:BC:5A:C1:7A:5A:C2:71:DD:B2:9D:CF:BF:72:35:78:C2:38:E0:3C:3C:21:78:11:35:6D:D1

I'm happy to create a PR for the README if you are amenable to inclusion.

Thank you for your consideration.

Expected behavior

Hash should be posted.

Actual behavior

No hash posted.

Logs

No response

[kewisch]

On F-droid we actually use reproducible builds, so we do the signing and F-droid verifies that what they build matches ours, and then proceed to use our builds. We indicate in the f-droid metadata which signing keys we use for each app. Is this sufficient for your needs? Does Obtanium have a way for users to verify the hashes before the install? I'm not against adding this info, but I'm unsure it would be useful in practice unless users have a way to verify the builds before installation.

[shrimprugbysnowowl]

That's excellent that Thunderbird uses reproducible builds! The ecosystem needs more of that. I checked [f-droid's verification server](https://verification.f-droid.org) but did not see Thunderbird or K-9 listed there at all. I must not have searched properly. Yes, Obtainium has a built-in feature that shares a downloaded apk with [AppVerifier[(https://github.com/soupslurpr/AppVerifier) prior to installation which streamlines the verification process, but one does not need a third party app to download an apk from github. Though an app like AppVerifier or [Termux](https://github.com/termux/termux-app) would be needed if a user wanted to verify the hash directly using an android device. There may be other methods that I'm not aware of to verify on-device. Either way, however, a user would need to visit github to either provide a link to Obtainium or download the apk directly. In my opinion, it would be more convenient and accessible for those users if the hash of the developer signing key was listed directly in the README and additionally on the website as an easy second reference since the website is directly linked in the Thunderbird github.

[kewisch]

I see unfortunately there are no new submissions for AppVerifier's internal database. I'd be ok including the hashes in the readme as long as we keep it very short, the readme is already pretty long.