android build verification info

Author: jimmyff

content/docs/build-verification.md

@@ -8,52 +8,92 @@ sidebar_group = "About"
 
 # Build Verification
 
-All Cache direct downloads are cryptographically signed using [Minisign](https://jedisct1.github.io/minisign/), a simple and lightweight tool for verifying file integrity and authenticity.
+Cache direct downloads are cryptographically signed so you can verify integrity and authenticity before installation.
 
-## What is signed
+## Quick reference
 
-Each release includes a **signed manifest** (e.g. <code>v{{ latest_version() }}.toml</code>) listing every artifact with its SHA-256 checksum. The manifest is signed with Cache's Ed25519 key — verifying the signature proves both integrity and authenticity of all listed artifacts.
+| Platform | Method | Key / Fingerprint |
+|---|---|---|
+| Android APK | APK signing certificate | [`E0:FB:26:D7:...`](#certificate-fingerprint-sha-256) |
+| Linux | Minisign (Ed25519) | [`RWSu...H8RQ`](#public-key) |
 
-## Public key
+Downloads from Google Play, Apple App Store, and Microsoft Store are verified by each platform's own trust chain — no additional steps needed.
+
+---
+
+## Android APK
+
+Verify the signing certificate fingerprint to confirm the APK is an authentic Cache build.
+
+**Package IDs:**
+
+- `io.rocketware.cache` (Direct/Accrescent)
+- `io.rocketware.cache.googleplay` (Google Play)
+
+### Certificate fingerprint (SHA-256)
 
 ```
-RWSuyCCt9+/8XP0AK3jidFQotJmj82u3RQvmTRCHZeW460xcSsjxH8RQ
+E0:FB:26:D7:60:32:37:72:B2:47:B4:D3:5D:34:2F:B0:EF:40:9B:17:22:7C:DB:CA:A8:43:D3:9A:24:FA:43:1E
 ```
 
-Download: [`cache-minisign.pub`](/cache-minisign.pub) (also available on [Github](https://github.com/rocketware/cache/blob/main/cache-minisign.pub)).
+### Verification steps
+
+**On device (Android):**
+
+Install [AppVerifier](https://github.com/soupslurpr/AppVerifier) and compare the certificate fingerprint against the value above.
+
+**On desktop (apksigner):**
+
+<pre><code>apksigner verify --print-certs cache.apk</code></pre>
+
+Compare the `Signer #1 certificate SHA-256 digest` against the fingerprint above.
 
 ---
 
-## Verification steps
+## Linux
+
+Linux direct downloads (AppImage, deb, rpm, tar.gz) are signed using [Minisign](https://jedisct1.github.io/minisign/).
+
+Each release includes a **signed manifest** (e.g. <code>v{{ latest_version() }}.toml</code>) listing every artifact with its SHA-256 checksum. Verifying the manifest signature proves both integrity and authenticity of all listed artifacts.
+
+### Public key
+
+```
+RWSuyCCt9+/8XP0AK3jidFQotJmj82u3RQvmTRCHZeW460xcSsjxH8RQ
+```
+
+Download: [`cache-minisign.pub`](/cache-minisign.pub) (also available on [Github](https://github.com/rocketware/cache/blob/main/cache-minisign.pub)).
+
+### Verification steps
 
-### 1. Install minisign
+**1. Install Minisign**
 
 Install [Minisign](https://jedisct1.github.io/minisign/) for your platform.
 
-### 2. Download the manifest and signature
+**2. Download the manifest and signature**
 
-From any release page, download the `.toml` manifest and its `.toml.minisig` signature. These are available from three independent sources:
+From any release page, download the `.toml` manifest and its `.toml.minisig` signature. Available from three independent sources:
 
 - **Website**: <code>https://www.cachenotes.app/releases/v{{ latest_version() }}.toml</code>
 - **GitHub**: release assets on [github.com/rocketware/cache/releases](https://github.com/rocketware/cache/releases)
 - **GCP mirror**: <code>https://download.rocketware.io/cache/v{{ latest_version() }}/</code>
 
-### 3. Verify the signature
+**3. Verify the signature**
 
 <pre><code>minisign -Vm v{{ latest_version() }}.toml -p cache-minisign.pub</code></pre>
 
 If valid, you'll see: `Signature and comment signature verified`.
 
-### 4. Compare SHA-256
+**4. Compare SHA-256**
 
-After verifying the manifest, compare the checksum of your downloaded artifact:
+Compare the checksum of your downloaded artifact:
 
 <pre><code>sha256sum cache-{{ latest_version() }}-linux-x64.AppImage</code></pre>
 
 Match the output against the `sha256` field in the manifest for that artifact.
 
 ---
 
-## Platform app stores
+## App stores
 
-Downloads from the Apple App Store, Google Play, and Microsoft Store are signed through each platform's own trust chain. Minisign verification applies to direct downloads (AppImage, deb, rpm, tar.gz) distributed outside of app stores.
+Downloads from Google Play, Apple App Store, and Microsoft Store are signed through each platform's trust chain. The platform verifies integrity before installation — no additional verification is required.

data/downloads.toml

@@ -7,6 +7,7 @@ latest_version = ""
 id = "android"
 name = "Android"
 icon = "android"
+verify_anchor = "android-apk"
 
   [[platforms.downloads]]
   id = "play_store"
@@ -38,6 +39,7 @@ icon = "apple"
 id = "linux"
 name = "Linux"
 icon = "linux"
+verify_anchor = "linux"
 
   [[platforms.downloads]]
   id = "appimage"

sass/style.scss

@@ -24,6 +24,10 @@
   /* BORDER */
   --border-color: oklch(0.915 0.05 285.96);
 
+  /* LAYOUT */
+  --header-h: calc(1.5rem + 40px + 1px); /* padding + toggle height + border */
+  --content-start: calc(var(--header-h) + 1.5rem);
+
   color-scheme: light;
 }
 
@@ -615,19 +619,32 @@ main {
 
 .download-group {
   margin-bottom: 2rem;
-  scroll-margin-top: 5rem;
+  scroll-margin-top: var(--content-start);
 }
 
 .download-group:last-of-type {
   margin-bottom: 0;
 }
 
 .download-group-title {
+  display: flex;
+  align-items: baseline;
   font-size: 1.25rem;
   font-weight: 600;
   margin: 0 0 0.75rem 0;
 }
 
+.download-verify-link {
+  margin-left: auto;
+  font-size: 0.75rem;
+  font-weight: 400;
+  color: var(--brand-link);
+  text-decoration: none;
+  &:hover {
+    text-decoration: underline;
+  }
+}
+
 .download-verify {
   text-align: center;
   font-size: 0.875rem;
@@ -1715,21 +1732,21 @@ body.docs {
   .docs-layout {
     grid-template-columns: 220px 1fr;
     gap: 1rem;
-    padding: 1rem;
+    padding: 1.5rem 1rem 1rem;
   }
 
   .docs-sidebar {
     display: block;
     position: sticky;
-    top: 60px;
+    top: var(--content-start);
     height: fit-content;
-    max-height: calc(100vh - 60px);
+    max-height: calc(100vh - var(--content-start));
     overflow-y: auto;
     padding: 1rem;
   }
 
   .docs-content {
-    padding: 0 1rem;
+    padding: 1rem 1rem 0;
     min-width: 0;
   }
 }
@@ -1741,21 +1758,21 @@ body.docs {
     gap: 2rem;
     max-width: 1400px;
     margin: 0 auto;
-    padding: 2rem;
+    padding: 1.5rem 2rem 2rem;
   }
 
   .docs-toc {
     display: block;
     position: sticky;
-    top: 60px;
+    top: var(--content-start);
     height: fit-content;
-    max-height: calc(100vh - 60px);
+    max-height: calc(100vh - var(--content-start));
     overflow-y: auto;
     padding: 1rem;
   }
 
   .docs-content {
-    padding: 0;
+    padding: 1rem 0 0;
   }
 }
 
@@ -1866,12 +1883,14 @@ body.docs {
   font-size: 1.5rem;
   font-weight: 600;
   margin: 2rem 0 1rem 0;
+  scroll-margin-top: var(--content-start);
 }
 
 .docs-content h3 {
   font-size: 1.25rem;
   font-weight: 600;
   margin: 1.5rem 0 0.75rem 0;
+  scroll-margin-top: var(--content-start);
 }
 
 .docs-content p {

templates/download.html

@@ -9,7 +9,12 @@ <h1 class="download-title">Download Cache</h1>
 
         {% for platform in downloads.platforms %}
         <div class="download-group" id="{{ platform.id }}">
-            <h2 class="download-group-title">{{ platform.name }}</h2>
+            <h2 class="download-group-title">
+                {{ platform.name }}
+                {% if platform.verify_anchor is defined and platform.verify_anchor %}
+                <a href="/docs/build-verification/#{{ platform.verify_anchor }}" class="download-verify-link">Verify build</a>
+                {% endif %}
+            </h2>
             <table class="download-table">
                 <thead>
                     <tr>