From c5fa40166f4939d7bb2182cabe812e412f119f5d Mon Sep 17 00:00:00 2001
From: Alexander Bakker <ab@alexbakker.me>
Date: Tue, 2 Apr 2019 21:37:25 +0200
Subject: [PATCH] Add some info about verifying APK's obtained from GitHub to
 the README

---
 README.md | 67 +++++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 55 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 584d7672..8be62f9b 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ Aegis is a free, secure and open source 2FA app for Android.
 - Secure
   - Encryption (AES-256)
     - Password (scrypt)
-	- Fingerprint (Android Keystore)
+  - Fingerprint (Android Keystore)
   - Screen capture prevention
   - Tap to reveal ability
 - Multiple ways to add new entries
@@ -20,9 +20,12 @@ Aegis is a free, secure and open source 2FA app for Android.
     - Aegis
   - Import from apps (requires root):
     - Google Authenticator
+    - Steam
 - Supported algorithms:
    - HOTP ([RFC 4226](https://tools.ietf.org/html/rfc4226))
    - TOTP ([RFC 6238](https://tools.ietf.org/html/rfc6238))
+   - Steam ([RFC 6238](https://tools.ietf.org/html/rfc6238) with custom
+     encoding)
 - Compatible with Google Authenticator
 - Organization
   - Custom or default icons
@@ -37,36 +40,76 @@ Aegis is a free, secure and open source 2FA app for Android.
 
 ## Screenshots
 
-[<img width=200 alt="Main Activity" src="metadata/en-US/images/phoneScreenshots/screenshot_main.png?raw=true">](metadata/en-US/images/phoneScreenshots/screenshot_main.png?raw=true)
-[<img width=200 alt="Settings Activity" src="metadata/en-US/images/phoneScreenshots/screenshot_settings.png?raw=true">](/metadata/en-US/images/phoneScreenshots/screenshot_settings.png?raw=true)
-[<img width=200 alt="Edit Activity" src="metadata/en-US/images/phoneScreenshots/screenshot_edit.png?raw=true">](/metadata/en-US/images/phoneScreenshots/screenshot_edit.png?raw=true)
+[<img width=200 alt="Main Activity"
+src="metadata/en-US/images/phoneScreenshots/screenshot_main.png?raw=true">](metadata/en-US/images/phoneScreenshots/screenshot_main.png?raw=true)
+[<img width=200 alt="Settings Activity"
+src="metadata/en-US/images/phoneScreenshots/screenshot_settings.png?raw=true">](/metadata/en-US/images/phoneScreenshots/screenshot_settings.png?raw=true)
+[<img width=200 alt="Edit Activity"
+src="metadata/en-US/images/phoneScreenshots/screenshot_edit.png?raw=true">](/metadata/en-US/images/phoneScreenshots/screenshot_edit.png?raw=true)
 
-[<img width=200 alt="Main Activity" src="metadata/en-US/images/phoneScreenshots/screenshot_main_group.png?raw=true">](metadata/en-US/images/phoneScreenshots/screenshot_main_group.png?raw=true)
-[<img width=200 alt="Main Activity" src="metadata/en-US/images/phoneScreenshots/screenshot_main_dark.png?raw=true">](metadata/en-US/images/phoneScreenshots/screenshot_main_dark.png?raw=true)
+[<img width=200 alt="Main Activity"
+src="metadata/en-US/images/phoneScreenshots/screenshot_main_group.png?raw=true">](metadata/en-US/images/phoneScreenshots/screenshot_main_group.png?raw=true)
+[<img width=200 alt="Main Activity"
+src="metadata/en-US/images/phoneScreenshots/screenshot_main_dark.png?raw=true">](metadata/en-US/images/phoneScreenshots/screenshot_main_dark.png?raw=true)
 
 ## Downloads
 
-Aegis is available in the Google Play Store.
+Aegis is available in the Google Play Store. It will also be available on
+F-Droid soon.
 
-[<img height=80 alt="Get it on Google Play" src="https://play.google.com/intl/en_us/badges/images/generic/en-play-badge.png" />](http://play.google.com/store/apps/details?id=com.beemdevelopment.aegis)
+[<img height=80 alt="Get it on Google Play"
+src="https://play.google.com/intl/en_us/badges/images/generic/en-play-badge.png"
+/>](http://play.google.com/store/apps/details?id=com.beemdevelopment.aegis)
 
-There are plans to make it available on F-Droid as well.
+### Verification
+
+APK releases on Google Play and GitHub are signed using the same key. They can
+be verified using
+[apksigner](https://developer.android.com/studio/command-line/apksigner.html#options-verify):
+
+```
+apksigner verify --print-certs --verbose aegis.apk
+```
+
+The output should look like:
+
+```
+Verifies
+Verified using v1 scheme (JAR signing): true
+Verified using v2 scheme (APK Signature Scheme v2): true
+```
+
+The certificate fingerprints should correspond to the ones listed below:
+
+```
+Owner: CN=Beem Development
+Issuer: CN=Beem Development
+Serial number: 172380c
+Valid from: Sat Feb 09 14:05:49 CET 2019 until: Wed Feb 03 14:05:49 CET 2044
+Certificate fingerprints:
+   MD5:  AA:EE:86:DB:C7:B8:88:9F:1F:C9:D0:7A:EC:37:36:32
+   SHA1: 59:FB:63:B7:1F:CE:95:74:6C:EB:1E:1A:CB:2C:2E:45:E5:FF:13:50
+   SHA256: C6:DB:80:A8:E1:4E:52:30:C1:DE:84:15:EF:82:0D:13:DC:90:1D:8F:E3:3C:F3:AC:B5:7B:68:62:D8:58:A8:23
+```
 
 ## Libraries
 
 - [TextDrawable](https://github.com/amulyakhare/TextDrawable) by Amulya Khare
-- [FloatingActionButton](https://github.com/Clans/FloatingActionButton) by Dmytro Tarianyk
+- [FloatingActionButton](https://github.com/Clans/FloatingActionButton) by
+  Dmytro Tarianyk
 - [AppIntro](https://github.com/AppIntro/AppIntro) by Paolo Rotolo
 - [Krop](https://github.com/avito-tech/krop) by Avito Technology
 - [SpongyCastle](https://github.com/rtyley/spongycastle) by Roberto Tyley
 - [Swirl](https://github.com/mattprecious/swirl) by Matthew Precious
-- [CircleImageView](https://github.com/hdodenhof/CircleImageView) by Henning Dodenhof
+- [CircleImageView](https://github.com/hdodenhof/CircleImageView) by Henning
+  Dodenhof
 - [barcodescanner](https://github.com/dm77/barcodescanner) by Dushyanth
 - [libsu](https://github.com/topjohnwu/libsu) by John Wu
 
 ## License
 
-This project is licensed under the GNU General Public License v3.0. See the [LICENSE](LICENSE) file for details.
+This project is licensed under the GNU General Public License v3.0. See the
+[LICENSE](LICENSE) file for details.
 
 ## Attribution