Submit Android apps to our AppVerifier database

ignoramous:

For build attestations? GitHub is great!

I think the workflow we will end up having is self-hosting a copy of data.yml on a privacyguides.org domain, and then recommending people download it from us and verify that download against GitHub with the gh commands above. The end goals on our end would be two sources of truth (us & GitHub) and revocable releases of the data.

There is also a Level 4, FWIW. Looking at SLSA • Requirements I think we could meet the source/build/provenance requirements for 3 (not 4) with releases, thanks for the note