From db735007e10396b1bc0483c69649b56319ec40e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wolf-Martell=20Montw=C3=A9?= <wolf@thunderbird.net>
Date: Thu, 5 Dec 2024 12:44:10 +0100
Subject: [PATCH] Add SHA-256 apk hashes

---
 README.md | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 0c3ae0154d3..7f4aa294fc5 100644
--- a/README.md
+++ b/README.md
@@ -73,8 +73,18 @@ our [blog post](https://blog.thunderbird.net/2023/07/k-9-mail-collaborates-with-
 
 You can report a security vulnerability [through the respective issues form](https://github.com/thunderbird/thunderbird-android/security/advisories/new).
 
-Users can verify the downloaded apk from Github and F-Droid against following SHA-256 hash to ensure the app was properly signed with our signing key:
-`B6:52:47:79:B3:DB:BC:5A:C1:7A:5A:C2:71:DD:B2:9D:CF:BF:72:35:78:C2:38:E0:3C:3C:21:78:11:35:6D:D1`
+These are the SHA-256 fingerprints for our signing certificates:
+
+- Thunderbird: `B6:52:47:79:B3:DB:BC:5A:C1:7A:5A:C2:71:DD:B2:9D:CF:BF:72:35:78:C2:38:E0:3C:3C:21:78:11:35:6D:D1`
+- Thunderbird Beta: `05:6B:FA:FB:45:02:49:50:2F:D9:22:62:28:70:4C:25:29:E1:B8:22:DA:06:76:0D:47:A8:5C:95:57:74:1F:BD`
+- K-9 Mail: `55:C8:A5:23:B9:73:35:F5:BF:60:DF:E8:A9:F3:E1:DD:E7:44:51:6D:93:57:E8:0A:92:5B:7B:22:E4:F5:55:24`
+
+You can use the following command to retrieve and [verify](https://developer.android.com/tools/apksigner#usage-verify)
+the certificate before installation:
+
+```bash
+apksigner verify -v --print-certs <path-to-apk>
+```
 
 ## K-9 Mail