For a given Android Studio release published by Google, how can I cryptographically verify the authenticity and integrity of the .tar.gz file that I downloaded before I copy it onto a USB drive and attempt to install it on my laptop?
Today I wanted to download Android Studio, but the download page said nothing about how to cryptographically verify the integrity and authenticity of their release after download.
https://developer.android.com/studio#downloads
I expected to see a message on the download page telling me:
- The fingerprint of their PGP release signing key,
- A link to further documentation, and
- Links to [a] a manifest file (eg
SHA256SUMS) and [b] a detached signature of that manifest file (egSHA256SUMS.asc,SHA256SUMS.sig,SHA256SUMS.gpg, etc)
Unfortunately, the only information I found on the download page was how to verify the integrity of the tarball using a SHA-256 checksum found in a table on the same page. Obviously, this checks integrity but not authenticity. And it provides no security because it's not out-of-band from the .tar.gz itself.
How can I preform cryptographic integrity and authenticity verification with Google's Android Studio releases?
