When generating a Digital Asset Link we are supposed to asset links file contaning SHA-256 of our android app and post it to https://www.your-host.com/.well-known/assetlinks.json as stated here. So is it safe to post our SHA-256 publicly?
Just read through the documentation
Yes, it is safe to post the SHA-256 publicly. In fact, the SHA-256 fingerprint can be extracted from any signed API with the following with keytool -printcert -jarfile [path to APK or AAB] | grep SHA256
. Once installed, any other Android app can also read your SHA-256 key. Peter's AsseLinks Tool takes advantage of that to help people find what their SHA-256 key is.