I am trying to install the F-Droid app on my Android device.
I have downloaded the apk and PGP sign from the F-Droid start page and followed the steps detailed here: SHA256 checksum of FDroid.apk
When I verify the apk file against the PGP signature I get:
gpg --verify FDroid.apk.asc FDroid.apk
gpg: Signature made Fri 10 Aug 2018 08:53:03 PM CEST
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <firstname.lastname@example.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
The signature seems to be valid and its fingerprints matches the values written on this page:
However when I try to check the shasum. I get the following:
shasum -a 256 'FDroid.apk'
This latter value does not match any of the shasum values posted on the latter mentioned link (Release Channels and Signing Keys). Either I do not know how to verify the APK signing key.
Does anyone knows how can I finish to verify the integrity of the FDroid.apk that I downloaded and hence being sure that it has not been tampered?
Thanks in advance for your help.
Where on that page is the SHA256 HASH of the APK exactly?
Seeing the same hash for this apk: https://f-droid.org/FDroid.apk
> sha256sum FDroid.apk
Thanks for your answer. Yeah, that was the same link from where I downloaded the apk. Glad to hear that I have the correct shasum value.
Regarding the “Release Channels and Signing Keys” site,
I think you are right, I think I might have got confussed with the signing key sha256sum (43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB).
Do you think I can safely proceed to install the apk on my Android device? I tried to verify the signing key (37D2C98789D8311948394E3E41E7044E1DBA2E89?) however I really do not know how to do that. I think it is explained in this part of the “Release Channels and Singing Keys” web:
sudo apt-get install wget vim-common unzip openjdk-8-jdk-headless
# verify against the key embedded in fdroidclient
git clone https://gitlab.com/fdroid/fdroidclient
grep -m1 -Eo '3082035e[0-9a-f]+' fdroidclient/app/src/main/res/values/default_repos.xml | xxd -r -p - > fdroidclient.der
keytool -import -noprompt -trustcacerts -alias fdroidclient -storepass android -file fdroidclient.der -keystore fdroidclient.jks
jarsigner -keystore fdroidclient.jks -storepass android -strict -verify email@example.com
# verify against the key that signed the index.jar
unzip -p index.jar META-INF/CIARANG.RSA | openssl pkcs7 -print_certs -inform DER -out index.cer
keytool -import -noprompt -trustcacerts -alias index -storepass android -file index.cer -keystore index.jks
jarsigner -keystore index.jks -storepass android -strict -verify firstname.lastname@example.org
# verify against the key that is embedded in this page
wget -O - https://f-droid/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der
keytool -import -noprompt -trustcacerts -alias docs -storepass android -file docs.der -keystore docs.jks
jarsigner -keystore docs.jks -storepass android -strict -verify email@example.com
# when satisfied with the verification, import it
unzip firstname.lastname@example.org email@example.com
gpg --import firstname.lastname@example.org
Sadly I have not a great background on computer technical matters so everything there looks a bit confusing to me.
Anyone can help?
Thanks for your help.
Yes, it is safe to install it. When you have manually compared the key fingerprints to those on the website you know that the installer is genuine.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.