feat: implement package and signing key verification for app linking

- Add validation logic to verify that the linked GitHub repository's APK matches the installed app's package name and signing fingerprint
- Implement background verification process: check latest release, download APK, and extract signing info before linking
- Update `AppsViewModel` to handle the verification workflow and provide real-time status updates
- Enhance `LinkAppBottomSheet` UI to display validation status messages (e.g., "Checking latest release...", "Verifying signing key...")
- Add new localized strings for mismatch errors and validation status steps
- Ensure temporary APK files used for verification are deleted after the process completes

Author: rainxchzed

core/presentation/src/commonMain/composeResources/values/strings.xml

@@ -550,6 +550,11 @@
     <string name="repo_url_hint">github.com/owner/repo</string>
     <string name="validating_repo">Validating…</string>
     <string name="link_and_track">Link &amp; Track</string>
+    <string name="checking_release">Checking latest release…</string>
+    <string name="downloading_for_verification">Downloading APK for verification…</string>
+    <string name="verifying_signing_key">Verifying signing key…</string>
+    <string name="package_name_mismatch">Package name mismatch: the APK is %1$s, but the selected app is %2$s</string>
+    <string name="signing_key_mismatch_link">Signing key mismatch: the APK in this repository was signed by a different developer than the installed app</string>
     <string name="export_apps">Export</string>
     <string name="import_apps">Import</string>
     <string name="import_apps_title">Import apps</string>

feature/apps/presentation/src/commonMain/kotlin/zed/rainxch/apps/presentation/AppsState.kt

@@ -26,6 +26,7 @@ data class AppsState(
     val repoUrl: String = "",
     val isValidatingRepo: Boolean = false,
     val repoValidationError: String? = null,
+    val linkValidationStatus: String? = null,
     val fetchedRepoInfo: GithubRepoInfo? = null,
     // Export/Import
     val isExporting: Boolean = false,

feature/apps/presentation/src/commonMain/kotlin/zed/rainxch/apps/presentation/AppsViewModel.kt

@@ -20,6 +20,7 @@ import zed.rainxch.apps.presentation.model.AppItem
 import zed.rainxch.apps.presentation.model.UpdateAllProgress
 import zed.rainxch.apps.presentation.model.UpdateState
 import zed.rainxch.core.domain.logging.GitHubStoreLogger
+import zed.rainxch.core.domain.model.DeviceApp
 import zed.rainxch.core.domain.model.InstalledApp
 import zed.rainxch.core.domain.model.RateLimitException
 import zed.rainxch.core.domain.network.Downloader
@@ -736,6 +737,7 @@ class AppsViewModel(
                 selectedDeviceApp = null,
                 repoUrl = "",
                 repoValidationError = null,
+                linkValidationStatus = null,
                 fetchedRepoInfo = null,
                 isValidatingRepo = false,
             )
@@ -753,25 +755,47 @@ class AppsViewModel(
             }
 
         viewModelScope.launch {
-            _state.update { it.copy(isValidatingRepo = true, repoValidationError = null) }
+            _state.update {
+                it.copy(
+                    isValidatingRepo = true,
+                    repoValidationError = null,
+                    linkValidationStatus = null,
+                )
+            }
 
             try {
+                _state.update { it.copy(linkValidationStatus = getString(Res.string.validating_repo)) }
+
                 val repoInfo = appsRepository.fetchRepoInfo(owner, repo)
                 if (repoInfo == null) {
                     _state.update {
                         it.copy(
                             isValidatingRepo = false,
+                            linkValidationStatus = null,
                             repoValidationError = "Repository not found: $owner/$repo",
                         )
                     }
                     return@launch
                 }
 
+                val validationError = validateSigningFingerprint(selectedApp, owner, repo)
+                if (validationError != null) {
+                    _state.update {
+                        it.copy(
+                            isValidatingRepo = false,
+                            linkValidationStatus = null,
+                            repoValidationError = validationError,
+                        )
+                    }
+                    return@launch
+                }
+
                 appsRepository.linkAppToRepo(selectedApp, repoInfo)
 
                 _state.update {
                     it.copy(
                         isValidatingRepo = false,
+                        linkValidationStatus = null,
                         showLinkSheet = false,
                     )
                 }
@@ -782,6 +806,7 @@ class AppsViewModel(
                 _state.update {
                     it.copy(
                         isValidatingRepo = false,
+                        linkValidationStatus = null,
                         repoValidationError = "GitHub API rate limit exceeded. Try again later.",
                     )
                 }
@@ -790,13 +815,75 @@ class AppsViewModel(
                 _state.update {
                     it.copy(
                         isValidatingRepo = false,
+                        linkValidationStatus = null,
                         repoValidationError = "Failed to link: ${e.message}",
                     )
                 }
             }
         }
     }
 
+    private suspend fun validateSigningFingerprint(
+        deviceApp: DeviceApp,
+        owner: String,
+        repo: String,
+    ): String? {
+        val latestRelease = try {
+            _state.update { it.copy(linkValidationStatus = getString(Res.string.checking_release)) }
+            appsRepository.getLatestRelease(owner, repo)
+        } catch (e: RateLimitException) {
+            throw e
+        } catch (e: Exception) {
+            logger.debug("Could not fetch release for validation: ${e.message}")
+            return null
+        }
+
+        if (latestRelease == null) return null
+
+        val installableAssets = latestRelease.assets.filter { installer.isAssetInstallable(it.name) }
+        if (installableAssets.isEmpty()) return null
+
+        val asset = installer.choosePrimaryAsset(installableAssets) ?: return null
+
+        _state.update { it.copy(linkValidationStatus = getString(Res.string.downloading_for_verification)) }
+
+        var filePath: String? = null
+        try {
+            downloader.download(asset.downloadUrl, asset.name).collect { /* progress tracked by spinner */ }
+
+            filePath = downloader.getDownloadedFilePath(asset.name) ?: return null
+
+            _state.update { it.copy(linkValidationStatus = getString(Res.string.verifying_signing_key)) }
+
+            val apkInfo = installer.getApkInfoExtractor().extractPackageInfo(filePath)
+            if (apkInfo == null) {
+                logger.debug("Could not extract APK info for validation")
+                return null
+            }
+
+            if (apkInfo.packageName != deviceApp.packageName) {
+                return getString(
+                    Res.string.package_name_mismatch,
+                    apkInfo.packageName,
+                    deviceApp.packageName,
+                )
+            }
+
+            val deviceFingerprint = deviceApp.signingFingerprint
+            val apkFingerprint = apkInfo.signingFingerprint
+
+            if (deviceFingerprint != null && apkFingerprint != null && deviceFingerprint != apkFingerprint) {
+                return getString(Res.string.signing_key_mismatch_link)
+            }
+
+            return null
+        } finally {
+            try {
+                if (filePath != null) File(filePath).delete()
+            } catch (_: Exception) { }
+        }
+    }
+
     private fun parseGithubUrl(input: String): Pair<String, String>? {
         val cleaned =
             input

feature/apps/presentation/src/commonMain/kotlin/zed/rainxch/apps/presentation/components/LinkAppBottomSheet.kt

@@ -89,6 +89,7 @@ fun LinkAppBottomSheet(
                     repoUrl = state.repoUrl,
                     isValidating = state.isValidatingRepo,
                     validationError = state.repoValidationError,
+                    validationStatus = state.linkValidationStatus,
                     onUrlChanged = { onAction(AppsAction.OnRepoUrlChanged(it)) },
                     onConfirm = { onAction(AppsAction.OnValidateAndLinkRepo) },
                     onBack = { onAction(AppsAction.OnBackToAppPicker) },
@@ -239,6 +240,7 @@ private fun EnterUrlStep(
     repoUrl: String,
     isValidating: Boolean,
     validationError: String?,
+    validationStatus: String?,
     onUrlChanged: (String) -> Unit,
     onConfirm: () -> Unit,
     onBack: () -> Unit,
@@ -338,5 +340,15 @@ private fun EnterUrlStep(
                 )
             }
         }
+
+        if (isValidating && validationStatus != null) {
+            Spacer(Modifier.height(8.dp))
+            Text(
+                text = validationStatus,
+                style = MaterialTheme.typography.bodySmall,
+                color = MaterialTheme.colorScheme.onSurfaceVariant,
+                modifier = Modifier.fillMaxWidth(),
+            )
+        }
     }
 }