mirror of https://github.com/LawnchairLauncher/lawnchair.git synced 2026-02-16 09:08:19 +00:00

Files

Pun Butrach 0e66a4420c docs: Make SLSA verification more clearer

Signed-off-by: Pun Butrach <pun.butrach@gmail.com>

2026-01-28 01:23:10 +07:00

1.4 KiB

Raw Permalink Blame History

Lawnchair verification

Lawnchair apk are cryptographically signed and can be verified using two verifications system.

GitHub or SLSA attestations (Starting with Lawnchair 15 Beta 1)
SHA256 of android app certificate

SLSA Attestation (Starting with Lawnchair 15 Beta 1)

Every release of Lawnchair with the exception of Nightly is attested and verified with SLSA provenance. This repository meet the requirements of SLSA-Level 2 compliance

Note

It is possible to verify without GitHub CLI by cross-referencing check from GitHub Attestation with Sigstore Rekor

Install GitHub CLI
Download the APK and attestation from GitHub Attestation
Run gh attestation verify APK -R LawnchairLauncher/lawnchair, replace {APK} with the actual APK file
Done

Android App Certificate

Lawnchair have two app certificates:

Google Play: 47:AC:92:63:1C:60:35:13:CC:8D:26:DD:9C:FF:E0:71:9A:8B:36:55:44:DC:CE:C2:09:58:24:EC:25:61:20:A7
Elsewhere:
74:7C:36:45:B3:57:25:8B:2E:23:E8:51:E5:3C:96:74:7F:E0:AD:D0:07:E5:BA:2C:D9:7E:8C:85:57:2E:4D:C5

On Android, using a verification app like AppVerifier can ease up the verifying process.

1.4 KiB Raw Permalink Blame History

Lawnchair verification

SLSA Attestation (Starting with Lawnchair 15 Beta 1)

Android App Certificate

1.4 KiB

Raw Permalink Blame History