Help needed to verify the f-droid app APK

Hi All,

I wanted to install the app today. To be on the safe side I wanted to check the downloaded *.apk file first.

I’m familiar with comparing downloaded files from the Internet against an MD5 or SHA1… checksums. That would be easy! But, unfortunately, there is only the PGP signature here, which I also downloaded.

When I try to check

gpg --verify FDroid.apk.asc

then gpg complains that it has no public key. But where am I going to get one?

I’ve found that page: https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/
but I can’t do anything with what it says!

I copied the text between “-----BEGIN PUBLIC KEY-----” and “-----END PUBLIC KEY-----” into a text (*.asc) file and tried to determine the fingerprint of it and compare it with the information on the page:

gpg --with-fingerprint [my_filename].asc

answer:

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error 

I also tried to load the key 0x4c49cd00 (APK signing key, S/N) from a public keyserver, but unfortunately nothing was found.

Can someone please help me find the public key of f-droid.org and give me an easy to understand introduction to the process?

Thanks,
conne936

Sure nobody has a tip for me?

Am I really the only one who wants to test the downloaded FDroid.apk file for integrity before installation? Just can’t believe it?!

Or did I overlook the obvious, what I need to verify the GPG signature?

Best,
conne936

I too would like to better understand how to verify the Fdroid apk file.

I also struggled with how to make use of the PGP signature provided with the download.
A site for an unrelated application (Veracrypt) has what I have found to be a straightforward write-up of the sequence of commands: https://www.veracrypt.fr/en/Digital%20Signatures.html

By following along with that here’s what I did that seems to yield sane results:

  1. I copied what appears to be the current F-Droid PGP public key from this other post on the forum.
    I saved the content to a file (Ex. f-droid_public.asc)
  2. I did a ‘test-only’ import to be able to view the details of the saved public key
    $ gpg --import --import-options show-only f-droid_public.asc  
    pub   rsa4096 2014-04-25 [C]  
          37D2C98789D8311948394E3E41E7044E1DBA2E89  
    uid                      F-Droid <admin@f-droid.org>  
    sub   rsa3072 2014-04-25 [S] [expires: 2021-04-24]  
    sub   rsa3072 2014-04-25 [E] [expires: 2021-04-24]  
  1. Once satisfied that the content looks reasonable and fingerprint is what is expected I did the actual import.
     $ gpg --import f-droid_public.asc
     gpg: key 41E7044E1DBA2E89: public key "F-Droid <admin@f-droid.org>" imported
     gpg: Total number processed: 1
     gpg:               imported: 1`
  1. Finally now the downloaded signature can be checked.
    (Note: FDroid.apk and FDroid.apk.asc downloaded to same folder)
    $ gpg --verify FDroid.apk.asc 
    gpg: assuming signed data in 'FDroid.apk'
    gpg: Signature made Thu 11 Apr 2019 08:41:19 AM EDT
    gpg:                using RSA key 7A029E54DD5DCE7A
    gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
     Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
          Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

Obtaining the public key this way perhaps isn’t the ideal procedure to establish ‘trust’ of the public key but it seems PGP’s ‘web of trust’ is going through a crisis (see below) and this may be the best that can be done via PGP for now.

Some additional info:
Since last year there has been an attack on the PGP SKS keyserver network. (A web search should yield more info if curious…)
There is a keyserver that is not part of the network and behaves in a way that avoids the particular attack/exploit of SKS keyservers at https://keys.openpgp.org
There seems to be some sort of unusable version of the F-Droid public key on keys.openpgp.org. This server has an e-mail verification opt-in process before allowing download of ID information so perhaps F-Droid team hasn’t been able to do this process.
Given the attack on SKS keyservers I was not going to download any keys from any other servers.

Thanks @kinetic! I was trying to use the public key on the website. Never noticed the updated key in the link you shared.

It did validate the signature but I also got a weird “message” below. Not sure what that was all about.

gpg: invalid armor header: iQGcBAABAgAGBQJcrzXvAAoJEHoCnlTdXc56/RgL+gI7RV1mlRRaIoJ3AH1pWNjr\n

I didnt know about the keyserver issue. Thanks for pointing that out.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Hi there, I wanted to verify the apk you put on download for f-droid with it’s signature, but the format isn’t correct and the can’t be verified.
This is the actual PGP signature on site:
-----BEGIN PGP SIGNATURE-----

iQGzBAABCgAdFiEEgCqXmQFhEjRuH+/0egKeVN1dznoFAl+Xx6oACgkQegKeVN1d
znrLzQv+PSh7VTMjkopR+99RTpRESCdAYvzdarKWiDr0Ft36moGuxJr93goC/KpP
IHn3S9bIjnVvFF/O3UJ+OAz/l1leyVgxvSBGpIX1PwS9f3t+oZZ07sK9wetNsxUK
Nyh8eAXxuisyDvp9FbzHAACVk0jpBEU7h5rFiInO8zVG3k2tAlLOGcJ8eFCvFpP4
L8atUqBN8SnkGA8DABKOCkhMNxL6QuCWV3mgj9PJNEf3VXCjCNUDfoHvS0Nohi+K
H8ldOhgKe83m3v6Gvnre5fBBCYZjQPdor201qcax0kIZam7217USLu/vVpsTBkS0
OwyZ631mXO/0lmXlQGT3H42yXmNKv2bGIFlLATyEucLN3mmxSSRr9iBT4wH3uwY1
iyNYw1ymxUMdf2iXjXPUK0kuVgyrU81bT9NSePczXU2n1K5QvazDfmz/ymdgSNNa
z2L75FJM9S1hb24hoRYDgowW/+hO76EiyXyZD7TmIhrs0XF2aIx483oxHX+Q1Yxc
Dhizc86j
=c08A
-----END PGP SIGNATURE-----

thanks

It verifies just fine.

$ wget https://f-droid.org/F-Droid.apk
$ wget https://f-droid.org/F-Droid.apk.asc

$ gpg --verify F-Droid.apk.asc 
gpg: assuming signed data in 'F-Droid.apk'
gpg: Signature made Tue 27 Oct 2020 03:09:30 AM EDT
gpg:                using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

$ sha512sum F-Droid.apk*
d599c0a76ebfd61ba106f320b4b115363fa3047b2a01cfe0a33f906252599afefc230c8b44fc6a1c920f71a2169ab26c99d18705d8b41cd350759c6988adcb38  F-Droid.apk
6d7676f1acce1b29b9d892cab613f1dcbcec3539caf2f4109d0c7a284af4dd0c85713fc5d9a25a295ef3e76697043f50fa3eaa24bda7a91e5eec2c6287778106  F-Droid.apk.asc

Great, so we could write the procedure to do so on the page of the download! It will help a lot of people. It isn’t a trivial thing.
thanks for your quick answer. btw

Hi we are newbies and have been trying to verify the f-droid.apk. for the last 2 hrs or so.
Checking with https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/
None of the MD5, SHA1 or SHA256 codes are the same as gtkhash produces from F-Droid.apk
The only number that pops up is the Subkey fingerprint by: gpg --verify F-Droid.apk.asc

We guess that is not good enough.

Many persons have been struggling with this, so we read. It seems no one till now has figured out how to verify. At least we haven’t. And none usable answer was found on the search engines! But even worse: it isn’t explained anywhere on the f-droid site!

So this F-Droid.apk.asc is just a gadget or a marketing trick?! To make people think: Oh GREAT LOOK AT THAT! Well i don’t have to check since they give a PGP Signature! It MUST be ok! Just go ahead!
Or is anybody able and so helpful to explain how this verification really works on a linux pc?

$ wget https://f-droid.org/assets/admin@f-droid.org.jar
$ unzip admin@f-droid.org.jar admin@f-droid.org.asc
$ sha512sum admin@f-droid.org.asc
6777e4b578b58ab8e4c6ecc7c11a08cd69c6cf1a369ee5133bd6617ded7a65cb4a8a889ae16f24203f47622912923ecefc68d0ad08f743e2c10def0ce807b7ca  admin@f-droid.org.asc
$ gpg --import admin@f-droid.org.asc
gpg: key 41E7044E1DBA2E89: "F-Droid <admin@f-droid.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ wget https://f-droid.org/F-Droid.apk
$ sha512sum F-Droid.apk
b417d61756879ef7e182c198a4cd953c124056938e0c17f2f63badc5ae206fe49bca837b0dabca01eeac9d5847b9d2d2079fa520e61b6f6a1dfeeaa17b883ce6  F-Droid.apk
$ wget https://f-droid.org/F-Droid.apk.asc
$ gpg --verify F-Droid.apk.asc
gpg: assuming signed data in 'F-Droid.apk'
gpg: Signature made Fri 16 Apr 2021 05:26:14 AM EDT
gpg:                using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

admin@f-droid.org.asc (4.7 KB)
^remove .zip from name

Hi SkewedZeppelin, we’ve followed the instructions. We get the same outcome. Yet how do we know this is the outcome needed? None of the numbers are equal. There is no confirmation. On top of that we get: gpg: Note: This key has expired!
I’m afraid we are none the wiser…

Yet how do we know this is the outcome needed?

By the message:

Good signature from “F-Droid admin@f-droid.org

1 Like

i installed both key and apk with wget so can anyone help

$ gpg --keyserver keyserver.ubuntu.com --recv-key 37D2C98789D8311948394E3E41E7044E1DBA2E89
gpg: keyserver receive failed: Server indicated a failure
$ gpg --keyserver keyserver.ubuntu.com --recv-key 37D2C98789D8311948394E3E41E7044E1DBA2E89
gpg: keyserver receive failed: Server indicated a failure
$ gpg --fingerprint 0x41E7044E1DBA2E89
gpg: error reading key: No public key
$ gpg --verify F-Droid.apk.asc F-Droid.apk
gpg: can't open 'F-Droid.apk.asc': No such file or directory
gpg: verify signatures failed: No such file or directory
$ gpg --keyserver keyserver.ubuntu.com --recv-key 37D2C98789D8311948394E3E41E7044E1DBA2E89
gpg: keyserver receive failed: Server indicated a failure

Having a error

Since there was an error in step 1, why continue?

Works fine for me.

Also, did you do

wget -q https://f-droid.org/F-Droid.apk.asc
wget -q https://f-droid.org/F-Droid.apk

…first, right?

Yes i have done that used wget to get them.

gpg: can't open 'F-Droid.apk.asc': No such file or directory means that you did not?!

Retry please…