I have downloaded the latest version of custom menu 3.7.2 apps but i do not find any MD5 or SHA256 value to check the integrity ot the tar.gz downloaded.
We have the certificate and signature that can be check with occ but before tu put this app on our server, nothing is available.
My point was that you can perhaps make use of the signature.json file, which according to the documentation I linked you to contains “hashes [which] is an array of all files in the folder with their corresponding SHA-512 hashes”. Wouldn’t that be sufficient to verify that the files have the hashes they should have?
I do not find any file signature.json in the appinfo folder. if the app is signed, i can read this in the documentation :" The occ tool will store a signature.json file within the appinfo folder of your application. Then compress the application folder and upload it to apps.nextcloud.com."
In this case, i do not see the signature.json and even if i saw him : the only way to check the integrity of the downloaded file is the occ command line and not a simply checksum. the developper has it forgot to put the file signature.json before put her on the store app ?
I suppose i must create the signature.json file with an notepad editor et put the hash of few files in the hash table, as well as put the certificate and the signature available from the page of the app. then launch an occ command line to check the integrity of listed files.
I would have prefer an md5 checksum of the tar.gz file in a first time