I am trying to install the F-Droid app on my Android device.
I have downloaded the apk and PGP sign from the F-Droid start page and followed the steps detailed here: SHA256 checksum of FDroid.apk
When I verify the apk file against the PGP signature I get:
gpg --verify FDroid.apk.asc FDroid.apk gpg: Signature made Fri 10 Aug 2018 08:53:03 PM CEST gpg: using RSA key 7A029E54DD5DCE7A gpg: Good signature from "F-Droid <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89 Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
The signature seems to be valid and its fingerprints matches the values written on this page:
However when I try to check the shasum. I get the following:
shasum -a 256 'FDroid.apk' a8f7d9a92f79b7579a77f1163028f9e131fe3b2e4471512e39b5e335be7baf26
This latter value does not match any of the shasum values posted on the latter mentioned link (Release Channels and Signing Keys). Either I do not know how to verify the APK signing key.
Does anyone knows how can I finish to verify the integrity of the FDroid.apk that I downloaded and hence being sure that it has not been tampered?
Thanks in advance for your help.