Add Hash of App Signing Key to Github README

[shrimprugbysnowowl]

Some users may choose to install DAVx5 via the apk downloaded directly from github or using Obtainium instead of fdroid, possibly due to fdroid signing all apps with their own developer signing key, or a route involving an app store. If users choose one of the former two routes, they currently have no way to verify the app was signed by the actual developers because the hash of the signing key isn't posted anywhere (that I've found). Verification is typically done using termux or AppVerfier using its integration with Obtainium.

Please consider posting the SHA-256 hash of the developer signing key used for the pre-built apk releases on github.

[shrimprugbysnowowl]

The hash of the signing key appears to be B3:9E:7B:77:EC:85:34:83:64:6B:21:B4:A3:E3:CA:54:0B:A0:94:EF:8D:AA:18:E8:7E:0B:E1:FA:46:38:D3:21. I'd greatly appreciate a confirmation.

I could create a PR of the README if the project would find it useful.

[rfc2822]

Yes, the signing key we currently use for Github releases and our compiled binaries has these certificate fingerprints:

SHA1: D0:57:50:13:F7:71:45:8E:7C:A9:F6:DF:50:87:93:9A:CD:79:0C:C3
SHA256: B3:9E:7B:77:EC:85:34:83:64:6B:21:B4:A3:E3:CA:54:0B:A0:94:EF:8D:AA:18:E8:7E:0B:E1:FA:46:38:D3:21

Note that the versions in the stores (Google Play, etc.) all use app bundle signing, with

• Google Play, Samsung Galaxy Store: same signing key as above (but may change in future, thanks to upload key signing)
• Amazon appstore, Huawei AppGallery: they modify and re-sign the APK

[shift18]

I agree, please publish your public key hash so that we may verify the integrity of your application.
Preferably you should not only publish it here on githib but also on your website and other platforms where you may have a presence.

Thank you!

[rfc2822]

See #919 and https://www.davx5.com/download