From 56076347bddb9b3c5176683a77f41bebdc7c2123 Mon Sep 17 00:00:00 2001
From: M66B <M66B@users.noreply.github.com>
Date: Wed, 26 Jun 2024 07:39:45 +0200
Subject: [PATCH] APK file attestation

---
 .github/workflows/android.yml | 11 +++++++++++
 FAQ.md                        | 19 +++++++++++++++++++
 index.html                    | 26 +++++++++++++++++++++++---
 3 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
index 9ff3ac030a..a428c9fb3b 100644
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -11,6 +11,12 @@ on:
         description: 'Branch'
         required: true
         default: 'master'
+
+permissions:
+    id-token: write
+    contents: read
+    attestations: write
+
 jobs:
   build:
 
@@ -52,6 +58,11 @@ jobs:
       run: ./gradlew lintGithubRelease
     - name: Build with Gradle
       run: ./gradlew assembleGithubRelease assembleLargeRelease assemblePlayRelease uploadBugsnagGithub-releaseMapping uploadBugsnagLarge-releaseMapping uploadBugsnagPlay-releaseMapping
+    #https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
+    - name: Generate artifact attestation
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: 'app/build/outputs/apk/**/release/*.apk'
     - name: Upload to BitBucket
       run: |
         ./gradlew upload -Ptarget=play-preview-${{ github.event.inputs.branch }}
diff --git a/FAQ.md b/FAQ.md
index 396e9a2143..d2f596aeee 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -429,6 +429,7 @@ Anything on this list is in random order and *might* be added in the near future
 * [(202) What is DNSSEC and what is DANE?](#faq202)
 * [(203) Where is my sent message?](#faq203)
 * [(204) How do I use Gemini?](#faq204)
+* [(205) How do I check the integrity of an APK file?](#faq205)
 
 [I have another question.](#get-support)
 
@@ -5986,6 +5987,24 @@ This feature is experimental and requires version 1.2171 or later for the GitHub
 
 <br>
 
+<a name="faq205"></a>
+**(205) How do I check the integrity of an APK file?**
+
+You can verify in this way that an APK file was built and signed by a GitHub workflow:
+
+1. Install the [GitHub CLI](https://cli.github.com/)
+2. Download and extract the [APK files](https://github.com/M66B/FairEmail/actions)
+3. [Verify](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli) attestation of an APK file
+
+
+```
+gh attestation verify xyz.apk -R M66B/FairEmail
+```
+
+Attestation of APK files is available from version 1.2209.
+
+<br>
+
 <h2><a name="get-support"></a>Get support</h2>
 
 &#x1F30E; [Google Translate](https://translate.google.com/translate?sl=en&u=https%3A%2F%2Fm66b.github.io%2FFairEmail%2F%23get-support)
diff --git a/index.html b/index.html
index cac573ea28..39f7c86723 100644
--- a/index.html
+++ b/index.html
@@ -8,10 +8,19 @@
   <style>
     code{white-space: pre-wrap;}
     span.smallcaps{font-variant: small-caps;}
-    span.underline{text-decoration: underline;}
-    div.column{display: inline-block; vertical-align: top; width: 50%;}
+    div.columns{display: flex; gap: min(4vw, 1.5em);}
+    div.column{flex: auto; overflow-x: auto;}
     div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
-    ul.task-list{list-style: none;}
+    /* The extra [class] is a hack that increases specificity enough to
+       override a similar rule in reveal.js */
+    ul.task-list[class]{list-style: none;}
+    ul.task-list li input[type="checkbox"] {
+      font-size: inherit;
+      width: 0.8em;
+      margin: 0 0.8em 0.2em -1.6em;
+      vertical-align: middle;
+    }
+    .display.math{display: block; text-align: center; margin: 0.5rem auto;}
   </style>
   <link rel="shortcut icon" href="https://raw.githubusercontent.com/M66B/FairEmail/master/app/src/main/ic_launcher-web.png">
   <style>
@@ -418,6 +427,7 @@
 <li><a href="#faq202">(202) What is DNSSEC and what is DANE?</a></li>
 <li><a href="#faq203">(203) Where is my sent message?</a></li>
 <li><a href="#faq204">(204) How do I use Gemini?</a></li>
+<li><a href="#faq205">(205) How do I check the integrity of an APK file?</a></li>
 </ul>
 <p><a href="#get-support">I have another question.</a></p>
 <p><a name="faq1"></a> <strong>(1) Which permissions are needed and why?</strong></p>
@@ -2986,6 +2996,16 @@ adb install /path/to/FairEmail-xxx.apk</code></pre>
 <p>Please read the privacy policy of <a href="https://support.google.com/gemini/answer/13594961">Gemini</a>. FairEmail does not use third-party libraries to avoid being tracked when Gemini is not being used.</p>
 <p>This feature is experimental and requires version 1.2171 or later for the GitHub version and version 1.2182 or later for the Play Store version.</p>
 <p><br></p>
+<p><a name="faq205"></a> <strong>(205) How do I check the integrity of an APK file?</strong></p>
+<p>You can verify in this way that an APK file was built and signed by a GitHub workflow:</p>
+<ol type="1">
+<li>Install the <a href="https://cli.github.com/">GitHub CLI</a></li>
+<li>Download and extract the <a href="https://github.com/M66B/FairEmail/actions">APK files</a></li>
+<li><a href="https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli">Verify</a> attestation of an APK file</li>
+</ol>
+<pre><code>gh attestation verify xyz.apk -R M66B/FairEmail</code></pre>
+<p>Attestation of APK files is available from version 1.2209.</p>
+<p><br></p>
 <h2>
 <a name="get-support"></a>Get support
 </h2>