APK verification instructions

To confirm that the 1DBA2E89 admin@f-droid.org PGP key is trusted

I’m assuming you are referring to the block of commands below this paragraph.

do all 3 sets of the Verification commands need to be entered?

Yes? I think it really depends on how paranoid you are.

I think those commands are meant to provide another way of validating the key (outside any relationship to your own key), by verifying that its been trusted by the other keys used by F-Droid; the key used to sign the repository (index.jar), the one embedded in the client, on the website, etc. An attacker would need to compromise all three.

I had downloaded the version 1.6.2 files (org.fdroid.fdroid_1006052.apk.asc & org.fdroid.fdroid_1006052.apk.asc) because I did not want to install an Alpha or Beta version.

After I ran the commands listed under “To confirm that the 1DBA2E89 admin@f-droid.org PGP key is trusted by the index”, I ran the following command …

gpg --verify org.fdroid.fdroid_1006052.apk.asc

… and received the following output.

gpg: assuming signed data in ‘org.fdroid.fdroid_1006052.apk’
gpg: Signature made Tue 21 May 2019 11:09:05 -05
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Good signature from “F-Droid admin@f-droid.org” [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A

The following line has me concerned.

gpg: Note: This key has expired!

I am new to Android and I want to remove/disable ALL Google apps, if possible, from my phone (UMIDIGI Z2 Special Edition) and install Private alternatives. Will I be able to do that?

Thanks!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.