F-Droid public keys

In order to be able to verify GPG signatures, you need to import the public key of the signer.
Why there is no link (next to the APK file and signature links) to download F-Droid public keys?

They include this link at the bottom instead :laughing: so you can fix it if you wish.

Edit on gitlab: https://gitlab.com/fdroid/fdroid-website/edit/master/

You’re right, it would be easy to add extra links to https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/ and https://f-droid.org/en/docs/Security_Model/ from the home page, but they are already linked from under the DOCS tab. Next someone will want a link to a good How To use PGP tutorial.

If a crook or government (“but I repeat myself”) takes control of the main f-droid site, they could more easily substitute a modified f-droid apk, a different public key and a different signature, if they are all in one place on the home page. It could be an interesting experiment to do that, and see how long it takes for someone to notice. :slight_smile:

1 Like

If you place the download link (of f-droid public key asc file) at the bottom of the website, It will be accessible on all download pages.
Probably something like this:

© 2010-2021 F-Droid Limited and Contributors. f-droid.asc
or
© 2010-2021 F-Droid Limited and Contributors. public key

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.