Do others get the same hashsum of F-Droid's apk?

Hi there,

I am trying to install the F-Droid app on my Android device.

I have downloaded the apk and PGP sign from the F-Droid start page and followed the steps detailed here: SHA256 checksum of FDroid.apk

When I verify the apk file against the PGP signature I get:

gpg --verify FDroid.apk.asc FDroid.apk
gpg: Signature made Fri 10 Aug 2018 08:53:03 PM CEST
gpg:                using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

The signature seems to be valid and its fingerprints matches the values written on this page:

https://f-droid.org/docs/Release_Channels_and_Signing_Keys/?title=Release_Channels_and_Signing_Keys

However when I try to check the shasum. I get the following:

shasum -a 256 'FDroid.apk'
a8f7d9a92f79b7579a77f1163028f9e131fe3b2e4471512e39b5e335be7baf26

This latter value does not match any of the shasum values posted on the latter mentioned link (Release Channels and Signing Keys). Either I do not know how to verify the APK signing key.

Does anyone knows how can I finish to verify the integrity of the FDroid.apk that I downloaded and hence being sure that it has not been tampered?

Thanks in advance for your help.

Where on that page is the SHA256 HASH of the APK exactly?

Seeing the same hash for this apk: https://f-droid.org/FDroid.apk

> sha256sum FDroid.apk
a8f7d9a92f79b7579a77f1163028f9e131fe3b2e4471512e39b5e335be7baf26
1 Like

Thanks for your answer. Yeah, that was the same link from where I downloaded the apk. Glad to hear that I have the correct shasum value.

Regarding the “Release Channels and Signing Keys” site,
I think you are right, I think I might have got confussed with the signing key sha256sum (43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB).

Do you think I can safely proceed to install the apk on my Android device? I tried to verify the signing key (37D2C98789D8311948394E3E41E7044E1DBA2E89?) however I really do not know how to do that. I think it is explained in this part of the “Release Channels and Singing Keys” web:

sudo apt-get install wget vim-common unzip openjdk-8-jdk-headless
wget https://f-droid.org/assets/admin@f-droid.org.jar

# verify against the key embedded in fdroidclient
git clone https://gitlab.com/fdroid/fdroidclient
grep -m1 -Eo '3082035e[0-9a-f]+' fdroidclient/app/src/main/res/values/default_repos.xml | xxd -r -p - > fdroidclient.der
keytool -import -noprompt -trustcacerts -alias fdroidclient -storepass android -file fdroidclient.der -keystore fdroidclient.jks
jarsigner -keystore fdroidclient.jks -storepass android -strict -verify admin@f-droid.org.jar

# verify against the key that signed the index.jar
wget https://f-droid.org/repo/index.jar
unzip -p index.jar META-INF/CIARANG.RSA | openssl pkcs7 -print_certs -inform DER -out index.cer
keytool -import  -noprompt -trustcacerts -alias index -storepass android -file index.cer -keystore index.jks
jarsigner -keystore index.jks -storepass android -strict -verify admin@f-droid.org.jar

# verify against the key that is embedded in this page
wget -O - https://f-droid/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der
keytool -import -noprompt -trustcacerts -alias docs -storepass android -file docs.der -keystore docs.jks
jarsigner -keystore docs.jks -storepass android -strict -verify admin@f-droid.org.jar

# when satisfied with the verification, import it
unzip admin@f-droid.org.jar admin@f-droid.org.asc
gpg --import admin@f-droid.org.asc

Sadly I have not a great background on computer technical matters so everything there looks a bit confusing to me.

Anyone can help?

Thanks for your help.

1 Like

Yes, it is safe to install it. When you have manually compared the key fingerprints to those on the website you know that the installer is genuine.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Mastodon