If they have, then good. Wasn’t sure it was doable with current google’s signing process. Highly unlikely someone hasn’t tampered with them then (far easier to target the site displaying the “correct” fingerprint).

However, my original point still stands. Just because it is open source doesn’t in itself mean that a bad actor can’t tamper with it.