wget https://github.com/Blockstream/green_android/releases/download/$GIT_TAG/SHA256SUMS.asc
wget https://github.com/Blockstream/green_android/releases/download/$GIT_TAG/BlockstreamGreen-v3.7.1-production-release.apk
mdkir signed
unzip BlockstreamGreen-v3.7.1-production-release.apk -d signed
keytool -printcert -file signed/META-INF/GREENADD.RSA
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 04BEBF2E35A2AF2FFDF1FA5DE7F054AA2E76E792
shasum -a 256 --check SHA256SUMS.asc
gpg --verify SHA256SUMS.asc
Diff with unsigned built binary
mkdir unsigned
unzip green_android/green/build/outputs/apk/production/release/BlockstreamGreen-v3.7.1-production-release-unsigned.apk -d unsigned
# Now if all match, the only diff should be the three files generated inside META-INF that are added when signing the APK: GREENADD.RSA, GREENADD.SF and MANIFEST.MF
diff -r signed/ unsigned/
# The hash seems to also appear in SHASUM256.asc under the file named tmp_.apk, let's try it!
cp green_android/green/build/outputs/apk/production/release/BlockstreamGreen-v3.7.1-production-release-unsigned.apk tmp_.apk
# Here's a green hash for ya!
shasum -a 256 --check SHA256SUMS.asc