I wanted to install the app today. To be on the safe side I wanted to check the downloaded *.apk file first.
I’m familiar with comparing downloaded files from the Internet against an MD5 or SHA1… checksums. That would be easy! But, unfortunately, there is only the PGP signature here, which I also downloaded.
When I try to check
gpg --verify FDroid.apk.asc
then gpg complains that it has no public key. But where am I going to get one?
I’ve found that page: https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/
but I can’t do anything with what it says!
I copied the text between “-----BEGIN PUBLIC KEY-----” and “-----END PUBLIC KEY-----” into a text (*.asc) file and tried to determine the fingerprint of it and compare it with the information on the page:
gpg --with-fingerprint [my_filename].asc
gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: no valid OpenPGP data found. gpg: processing message failed: Unknown system error
I also tried to load the key 0x4c49cd00 (APK signing key, S/N) from a public keyserver, but unfortunately nothing was found.
Can someone please help me find the public key of f-droid.org and give me an easy to understand introduction to the process?