Every APK is cryptographically signed. Before installing, confirm the signing certificate matches these fingerprints:

Certificate check (requires Android SDK):

apksigner verify --print-certs xxx.apk

Match the SHA-256 digest from the output against the table above.

Integrity check (using the .sha256 file bundled with each release):

sha256sum -c xxx.apk.sha256

If either check fails, do not proceed with installation. Remove the APK immediately and obtain a fresh copy exclusively from the official GitHub Releases page or our official FDroid repo. If you believe the APK has been tampered with, inform us via email at info@hydramesh.net.

Android enforces signature consistency across updates automatically, so once your first install is verified, future updates are protected by the OS.