For a given Android Studio release published by Google, how can I cryptographically verify the authenticity and integrity of the
.tar.gz file that I downloaded before I copy it onto a USB drive and attempt to install it on my laptop?
Today I wanted to download Android Studio, but the download page said nothing about how to cryptographically verify the integrity and authenticity of their release after download.
I expected to see a message on the download page telling me:
- The fingerprint of their PGP release signing key,
- A link to further documentation, and
- Links to (a) a manifest file (eg
SHA256SUMS) and (b) a detached signature of that manifest file (eg
Unfortunately, the only information I found on the download page was how to verify the integrity of the tarball using a
SHA-256 checksum found in a table on the same page. Obviously, this checks integrity but not authenticity. And it provides no security because it’s not out-of-band from the
How can I preform cryptographic integrity and authenticity verification with Google’s Android Studio releases?