# INTERACT — Android signing identities (all apps)

Consolidated registry of every Android app's **signing certificate fingerprint**.
These are public identifiers — NOT the private keys. Their purpose:

- Permanently linked to each app id on Google Play (once uploaded).
- Anyone verifying an installed APK can match the fingerprint to confirm authenticity.
- If a keystore is ever lost, the recorded fingerprint proves which historical builds were legitimate.
- Any APK in the wild with a mismatched fingerprint is NOT from INTERACT.

Every app uses the same certificate DN:
`CN=Shazia Muzaffar, OU=INTERACT, O=INTERACT, L=Karachi, ST=Sindh, C=PK`
RSA 2048, APK Signature Scheme v2.

| App | Package id | Keystore file | Alias | SHA-256 cert fingerprint |
| --- | --- | --- | --- | --- |
| **Sahulat** | `com.interactpak.qurbanisahulat` | `~/.android/sahulat-release.keystore` | `sahulat` | `eff441555ea43691aa82a739ef6cd7fc6627fb9505cee91eb3ad2116ea879f80` |
| **LeathX App** | `com.interactpak.leathx` | `~/.android/leathx-release.keystore` | `leathx` | `1438bd4699126e0a96927acf33d88a4ca22b654687d10187f1fa1322c537f3dd` |
| **Rewards** | `com.interactpak.rewards` | `~/.android/rewards-v2-release.keystore` | `rewards-v2` | *pending first signed build post-rebrand* |
| **Rewards OS (Movento)** *(retired 2026-04-22 — rebrand)* | `com.interactpak.movento` | `~/.android/movento-release.keystore` | `movento` | `0375e96fd89e4e9525780f38026202bbe90ce6a67a46f884440f99b9e84631d8` |
| **BVI** | `com.interactsolutions.bvi` | `~/.android/bvi-release.keystore` | `bvi` | `077b762e0409e404c6ee3c54b8de001aba712225263afa7fe628c604eebcac01` |
| **Grower OS (Progressive Farmer)** | `com.interactpak.ff` | `progressive-farmer/keystore/grower-os-release.jks` (in-repo) | `grower-os` | *to be recorded on next signed build* |
| **BulkSale** (wrapper) | `com.interactpak.bulksale` | `~/.android/bulksale-release.keystore` | `bulksale` | `2a24482aed73e4c3ec1e91c3d16393bfa6b2242760285947bd39b51f69dd97cf` |
| **ChemOps** (wrapper) | `com.interactpak.chemops` | `~/.android/chemops-release.keystore` | `chemops` | `400603f6a09cbf40921be3b0a7af95a0bed1ea3aa5a2e9f2f49f6ac96723c202` |
| **FleetOps** (wrapper) | `com.cgt.fleetops` | `~/.android/fleetops-release.keystore` | `fleetops` | `310d8f98ace03444727e4e984b5e27e1a9be037ee24fdf79c88aa5a47754e8e7` |
| **Farmer Education** (wrapper) | `com.interactpak.farmeredu` | `~/.android/farmer-edu-release.keystore` | `farmer-edu` | `ff9a3185511000aa6a3838ef1cb8b92fe03d410484f8ecd1f71cb2f4483d3205` |
| **Kissan Seminar** (wrapper) | `com.interactpak.kissanseminar` | `~/.android/kissan-seminar-release.keystore` | `kissan-seminar` | `a73b6d1b7c81662babd98a3f387b4b4b2c8c1b70f1e243539e90c91e3f360ac9` |
| **TMA Settlement** (wrapper) | `com.interactpak.tmasettlement` | `~/.android/tma-settlement-release.keystore` | `tma-settlement` | `1f6bb99cc1196054ab9a6c7b0939a1354ded58389d97098f7d2eb10618b75910` |
| **Interact Execute (ExecOS)** | `com.interactpak.execute` | *to be assigned — pending first signed build* | *to be assigned* | *to be recorded on next signed build* |
| **LeathX wrapper** *(deprecated — superseded by LeathX App above)* | `com.interactpak.leathx.wrapper` | — | — | *no longer shipped; use `com.interactpak.leathx`* |

## Verifying any INTERACT APK in the wild

```bash
APKSIGNER=$(ls ~/Library/Android/sdk/build-tools/*/apksigner | tail -1)
$APKSIGNER verify --verbose --print-certs <path-to>.apk | grep -E "DN:|SHA-256"
```

Expected DN for all apps in this table: `CN=Shazia Muzaffar, OU=INTERACT, …`
Expected SHA-256: match the fingerprint in the table above for that app id.

Any mismatch → NOT authentic. Report to WhatsApp +92 300 2020179.

## Keystore custody & recovery

- All keystore files live at `~/.android/` on the INTERACT primary Mac. **NOT committed.**
- Passwords stored in the user's password manager.
- Loss of a keystore = cannot push updates to Play Store for that app id. Mitigation: enable **Play App Signing** on first Play Console upload; upload key can then be rotated even if the local keystore is lost.
- Monthly backup: copy `~/.android/*.keystore` to an encrypted external drive + cloud-backed password manager attachment.

## Play Console — upload-key strategy

When uploading each AAB to Play Console for the first time:

1. Select the app → **Setup → App integrity → App signing**.
2. Follow the "Use Play App Signing" wizard.
3. Choose **"Let Google generate and manage the app signing key"** (recommended).
4. Your local keystore becomes the **upload key** — rotatable.

If keystore is lost post-rollout: Play Console → **Upload key reset** → generate a new one, Google accepts it since they hold the real signing key.