When we create the assetlinks.json file inside the invisible directory .well-known, which in turn is inside the public directory, are we making the file accessible to the public?
It seems to me that if the user types https://domain.name/.well-known/assetlinks.json in the browser, he/she will be able to see the content of the file. Thus making my SHA56 certificate fingerprint visible to the user.
Am I reading it wrong?
Yes, but it is not giving away private information.
The certificate itself is public because that is how the owner's public key is distributed. A fingerprint is a hash over the certificate. Since the hashes are known (e.g. SHA-256), then anyone can calculate a fingerprint from the public certificate.
Related links:
https://security.stackexchange.com/questions/186754/is-a-certificates-thumbprint-considered-private
https://www.ibm.com/docs/en/integration-bus/10.1?topic=overview-digital-certificates
How to properly compute the fingerprint of a certificate