Hi, PGP signature is correct for F-droid.apk and
SHA256: 8476D8951D764DE3B732FB41D080C95B1FCDF140CCFF5675364B797D272F92F2
SHA1: F60B4BD53581885DE093A3CA49E2A7F90A926A44
PGP Public key is here: F-Droid's PGP key has expired - #4 by hans
Or you can find it in keyservers, ID: 41E7 044E 1DBA 2E89
Fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Maybe Apkpure has an incorrect public key (?)
I honestly don’t even know what joesandbox is, that analysis seems to be just “I find this TOR string” without analyzing what it is used for.