Do others get the same hashsum of F-Droid's apk?

#1

Hi there,

I am trying to install the F-Droid app on my Android device.

I have downloaded the apk and PGP sign from the F-Droid start page and followed the steps detailed here: SHA256 checksum of FDroid.apk

When I verify the apk file against the PGP signature I get:

gpg --verify FDroid.apk.asc FDroid.apk
gpg: Signature made Fri 10 Aug 2018 08:53:03 PM CEST
gpg:                using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

The signature seems to be valid and its fingerprints matches the values written on this page:

https://f-droid.org/docs/Release_Channels_and_Signing_Keys/?title=Release_Channels_and_Signing_Keys

However when I try to check the shasum. I get the following:

shasum -a 256 'FDroid.apk'
a8f7d9a92f79b7579a77f1163028f9e131fe3b2e4471512e39b5e335be7baf26

This latter value does not match any of the shasum values posted on the latter mentioned link (Release Channels and Signing Keys). Either I do not know how to verify the APK signing key.

Does anyone knows how can I finish to verify the integrity of the FDroid.apk that I downloaded and hence being sure that it has not been tampered?

Thanks in advance for your help.

PGP-signature of F-Droid.apk
#2

Where on that page is the SHA256 HASH of the APK exactly?

Seeing the same hash for this apk: https://f-droid.org/FDroid.apk

> sha256sum FDroid.apk
a8f7d9a92f79b7579a77f1163028f9e131fe3b2e4471512e39b5e335be7baf26
1 Like
Tengo el mismo hash del apk de F-Droid como otros?
Shasum F-Droid apk // Application alternative
#3

Thanks for your answer. Yeah, that was the same link from where I downloaded the apk. Glad to hear that I have the correct shasum value.

Regarding the “Release Channels and Signing Keys” site,
I think you are right, I think I might have got confussed with the signing key sha256sum (43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB).

Do you think I can safely proceed to install the apk on my Android device? I tried to verify the signing key (37D2C98789D8311948394E3E41E7044E1DBA2E89?) however I really do not know how to do that. I think it is explained in this part of the “Release Channels and Singing Keys” web:

sudo apt-get install wget vim-common unzip openjdk-8-jdk-headless
wget https://f-droid.org/assets/admin@f-droid.org.jar

# verify against the key embedded in fdroidclient
git clone https://gitlab.com/fdroid/fdroidclient
grep -m1 -Eo '3082035e[0-9a-f]+' fdroidclient/app/src/main/res/values/default_repos.xml | xxd -r -p - > fdroidclient.der
keytool -import -noprompt -trustcacerts -alias fdroidclient -storepass android -file fdroidclient.der -keystore fdroidclient.jks
jarsigner -keystore fdroidclient.jks -storepass android -strict -verify admin@f-droid.org.jar

# verify against the key that signed the index.jar
wget https://f-droid.org/repo/index.jar
unzip -p index.jar META-INF/CIARANG.RSA | openssl pkcs7 -print_certs -inform DER -out index.cer
keytool -import  -noprompt -trustcacerts -alias index -storepass android -file index.cer -keystore index.jks
jarsigner -keystore index.jks -storepass android -strict -verify admin@f-droid.org.jar

# verify against the key that is embedded in this page
wget -O - https://f-droid/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der
keytool -import -noprompt -trustcacerts -alias docs -storepass android -file docs.der -keystore docs.jks
jarsigner -keystore docs.jks -storepass android -strict -verify admin@f-droid.org.jar

# when satisfied with the verification, import it
unzip admin@f-droid.org.jar admin@f-droid.org.asc
gpg --import admin@f-droid.org.asc

Sadly I have not a great background on computer technical matters so everything there looks a bit confusing to me.

Anyone can help?

Thanks for your help.

1 Like
#4

Yes, it is safe to install it. When you have manually compared the key fingerprints to those on the website you know that the installer is genuine.

Mastodon