Help needed to verify the f-droid app APK

Hi All,

I wanted to install the app today. To be on the safe side I wanted to check the downloaded *.apk file first.

I’m familiar with comparing downloaded files from the Internet against an MD5 or SHA1… checksums. That would be easy! But, unfortunately, there is only the PGP signature here, which I also downloaded.

When I try to check

gpg --verify FDroid.apk.asc

then gpg complains that it has no public key. But where am I going to get one?

I’ve found that page: https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/
but I can’t do anything with what it says!

I copied the text between “-----BEGIN PUBLIC KEY-----” and “-----END PUBLIC KEY-----” into a text (*.asc) file and tried to determine the fingerprint of it and compare it with the information on the page:

gpg --with-fingerprint [my_filename].asc

answer:

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error 

I also tried to load the key 0x4c49cd00 (APK signing key, S/N) from a public keyserver, but unfortunately nothing was found.

Can someone please help me find the public key of f-droid.org and give me an easy to understand introduction to the process?

Thanks,
conne936

Sure nobody has a tip for me?

Am I really the only one who wants to test the downloaded FDroid.apk file for integrity before installation? Just can’t believe it?!

Or did I overlook the obvious, what I need to verify the GPG signature?

Best,
conne936

I too would like to better understand how to verify the Fdroid apk file.

I also struggled with how to make use of the PGP signature provided with the download.
A site for an unrelated application (Veracrypt) has what I have found to be a straightforward write-up of the sequence of commands: https://www.veracrypt.fr/en/Digital%20Signatures.html

By following along with that here’s what I did that seems to yield sane results:

  1. I copied what appears to be the current F-Droid PGP public key from this other post on the forum.
    I saved the content to a file (Ex. f-droid_public.asc)
  2. I did a ‘test-only’ import to be able to view the details of the saved public key
    $ gpg --import --import-options show-only f-droid_public.asc  
    pub   rsa4096 2014-04-25 [C]  
          37D2C98789D8311948394E3E41E7044E1DBA2E89  
    uid                      F-Droid <admin@f-droid.org>  
    sub   rsa3072 2014-04-25 [S] [expires: 2021-04-24]  
    sub   rsa3072 2014-04-25 [E] [expires: 2021-04-24]  
  1. Once satisfied that the content looks reasonable and fingerprint is what is expected I did the actual import.
     $ gpg --import f-droid_public.asc
     gpg: key 41E7044E1DBA2E89: public key "F-Droid <admin@f-droid.org>" imported
     gpg: Total number processed: 1
     gpg:               imported: 1`
  1. Finally now the downloaded signature can be checked.
    (Note: FDroid.apk and FDroid.apk.asc downloaded to same folder)
    $ gpg --verify FDroid.apk.asc 
    gpg: assuming signed data in 'FDroid.apk'
    gpg: Signature made Thu 11 Apr 2019 08:41:19 AM EDT
    gpg:                using RSA key 7A029E54DD5DCE7A
    gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
     Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
          Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

Obtaining the public key this way perhaps isn’t the ideal procedure to establish ‘trust’ of the public key but it seems PGP’s ‘web of trust’ is going through a crisis (see below) and this may be the best that can be done via PGP for now.

Some additional info:
Since last year there has been an attack on the PGP SKS keyserver network. (A web search should yield more info if curious…)
There is a keyserver that is not part of the network and behaves in a way that avoids the particular attack/exploit of SKS keyservers at https://keys.openpgp.org
There seems to be some sort of unusable version of the F-Droid public key on keys.openpgp.org. This server has an e-mail verification opt-in process before allowing download of ID information so perhaps F-Droid team hasn’t been able to do this process.
Given the attack on SKS keyservers I was not going to download any keys from any other servers.

Thanks @kinetic! I was trying to use the public key on the website. Never noticed the updated key in the link you shared.

It did validate the signature but I also got a weird “message” below. Not sure what that was all about.

gpg: invalid armor header: iQGcBAABAgAGBQJcrzXvAAoJEHoCnlTdXc56/RgL+gI7RV1mlRRaIoJ3AH1pWNjr\n

I didnt know about the keyserver issue. Thanks for pointing that out.