F-Droid public keys

F-DD · August 5, 2021, 7:08pm

In order to be able to verify GPG signatures, you need to import the public key of the signer.
Why there is no link (next to the APK file and signature links) to download F-Droid public keys?

anon46495926 · August 6, 2021, 2:40pm

They include this link at the bottom instead so you can fix it if you wish.

Edit on gitlab: https://gitlab.com/fdroid/fdroid-website/edit/master/

You’re right, it would be easy to add extra links to Release Channels and Signing Keys | F-Droid - Free and Open Source Android App Repository and Security Model | F-Droid - Free and Open Source Android App Repository from the home page, but they are already linked from under the DOCS tab. Next someone will want a link to a good How To use PGP tutorial.

anon46495926 · August 10, 2021, 6:02pm

If a crook or government (“but I repeat myself”) takes control of the main f-droid site, they could more easily substitute a modified f-droid apk, a different public key and a different signature, if they are all in one place on the home page. It could be an interesting experiment to do that, and see how long it takes for someone to notice.

F-DD · August 11, 2021, 6:11am

If you place the download link (of f-droid public key asc file) at the bottom of the website, It will be accessible on all download pages.
Probably something like this:

© 2010-2021 F-Droid Limited and Contributors. f-droid.asc
or
© 2010-2021 F-Droid Limited and Contributors. public key

system · October 10, 2021, 6:11am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.