Apkpure APK verification reports modified/untrusted modified F-Droid apk file

Wanting to verify and install F-Droid but received this:

https://apkpure.com/apk-signature-verification

[Not Trusted] This F-Droid.apk APK is a modified version, we don’t recommend installing it.

Package Name : org.fdroid.fdroid

Signature : 05f2e65928088981b317fc9a6dbfe04b0fa13b4e

File SHA1 : f60b4bd53581885de093a3ca49e2a7f90a926a44

File Size : 8.0 MB


Has this apk been modified / tampered with?

Also, why does this site think it is malicious as well? (I realize there can be false positives but I like to be thorough and dislike conflicting information).

https://www.joesandbox.com/analysis/343527/0/html

Hi, PGP signature is correct for F-droid.apk and
SHA256: 8476D8951D764DE3B732FB41D080C95B1FCDF140CCFF5675364B797D272F92F2
SHA1: F60B4BD53581885DE093A3CA49E2A7F90A926A44

PGP Public key is here: F-Droid's PGP key has expired - #4 by hans
Or you can find it in keyservers, ID: 41E7 044E 1DBA 2E89
Fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89

Maybe Apkpure has an incorrect public key (?)
I honestly don’t even know what joesandbox is, that analysis seems to be just “I find this TOR string” without analyzing what it is used for.

1 Like

Wait a minute, OP wanted to install F-Droid.apk from a different source than f-droid.org

Why, ffs. :slight_smile: :slight_smile:

No one said that (?)

1 Like

Omg., ok I’m so blind. Apologies.

Hi Morgoth, where are those checksums saved (a mailing list or prior forum posting) that you listed? The only ones I found referred to the certificate fingerprints. https://f-droid.org/docs/Release_Channels_and_Signing_Keys/

If someone compromised F-Droid server (and webpage) will change checksums too, you need to download “PGP Signature” which is attached to the apk, you need PGP software to verify the apk, and use the apk signature with the PGP public key from F-Droid, public keys are generated from a private key, only F-Droid has this private key, so if some malicious entity compromises the server, it shouldn’t able to replicate the public key (because is generated by a strong encryption algorithm)

This means, if the PGP signature attached to apk is compromised, it would not match the public key, that is published in keyservers.

  • GNU/Linux distribution: install gnupg from terminal, then search key for admin@f-droid.org and import it gpg --search-keys admin@f-droid.org
    ID should be 41E7 044E 1DBA 2E89, primary fingerprint 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89. (you can find subkey in the link you posted, also verify primary fingerprint)
    Then, gpg --verify /path/to/file/F-Droid.apk.asc (APK should be in the same folder) after that, it should output “Good signature…” probably a warning because you didn’t certified the key, no problem if the fingerprint of the public key matches.

  • Android: install Termux, then gnupg, same process.
    Or install OpenKeyChain.

  • Windows: install Gpg4win (Kleopatra is the GUI), process should be easier, just go ahead and search for F-Droid public key (search function inside the program) and import, then verify.
    “Firma correcta” : Good signature.
    1

1 Like

I installed OpenKeyChain on Android some time ago. I clicked the “+” for adding a new key and then “Key Search” using that string you indicated:

“Keyring has no valid user IDs! – Import operation failed!”


Using Linux:

gpg2 --search-keys admin@f-droid.org
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

I don’t know how many servers the key is on, at least it should be on this server.

gpg --keyserver hkps.pool.sks-keyservers.net --search-keys admin@f-droid.org

RSA key 41E7044E1DBA2E89

Thank you for the reply. Although that doesn’t make me feel warm and fuzzy. The keys should be readily available from standard servers and verifiable from standard tools. Otherwise I could post a key pair on my server and site this for validation couldn’t I? This validation should be straightforward and so far it has been anything but that.

Related: https://github.com/Catfriend1/syncthing-android/issues/745

The keys should be readily available from standard servers and verifiable from standard tools

hkps.pool.sks-keyservers.net is a standard server actually. Also available at http://keys.gnupg.net/ and https://keyserver.ubuntu.com

1 Like