I wanted to install the app today. To be on the safe side I wanted to check the downloaded *.apk file first.
I’m familiar with comparing downloaded files from the Internet against an MD5 or SHA1… checksums. That would be easy! But, unfortunately, there is only the PGP signature here, which I also downloaded.
When I try to check
gpg --verify FDroid.apk.asc
then gpg complains that it has no public key. But where am I going to get one?
I copied the text between “-----BEGIN PUBLIC KEY-----” and “-----END PUBLIC KEY-----” into a text (*.asc) file and tried to determine the fingerprint of it and compare it with the information on the page:
gpg --with-fingerprint [my_filename].asc
answer:
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
I also tried to load the key 0x4c49cd00 (APK signing key, S/N) from a public keyserver, but unfortunately nothing was found.
Can someone please help me find the public key of f-droid.org and give me an easy to understand introduction to the process?
By following along with that here’s what I did that seems to yield sane results:
I copied what appears to be the current F-Droid PGP public key from this other post on the forum.
I saved the content to a file (Ex. f-droid_public.asc)
I did a ‘test-only’ import to be able to view the details of the saved public key
Once satisfied that the content looks reasonable and fingerprint is what is expected I did the actual import.
$ gpg --import f-droid_public.asc
gpg: key 41E7044E1DBA2E89: public key "F-Droid <admin@f-droid.org>" imported
gpg: Total number processed: 1
gpg: imported: 1`
Finally now the downloaded signature can be checked.
(Note: FDroid.apk and FDroid.apk.asc downloaded to same folder)
$ gpg --verify FDroid.apk.asc
gpg: assuming signed data in 'FDroid.apk'
gpg: Signature made Thu 11 Apr 2019 08:41:19 AM EDT
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
Obtaining the public key this way perhaps isn’t the ideal procedure to establish ‘trust’ of the public key but it seems PGP’s ‘web of trust’ is going through a crisis (see below) and this may be the best that can be done via PGP for now.
Some additional info:
Since last year there has been an attack on the PGP SKS keyserver network. (A web search should yield more info if curious…)
There is a keyserver that is not part of the network and behaves in a way that avoids the particular attack/exploit of SKS keyservers at https://keys.openpgp.org
There seems to be some sort of unusable version of the F-Droid public key on keys.openpgp.org. This server has an e-mail verification opt-in process before allowing download of ID information so perhaps F-Droid team hasn’t been able to do this process.
Given the attack on SKS keyservers I was not going to download any keys from any other servers.
Hi there, I wanted to verify the apk you put on download for f-droid with it’s signature, but the format isn’t correct and the can’t be verified.
This is the actual PGP signature on site:
-----BEGIN PGP SIGNATURE-----
$ wget https://f-droid.org/F-Droid.apk
$ wget https://f-droid.org/F-Droid.apk.asc
$ gpg --verify F-Droid.apk.asc
gpg: assuming signed data in 'F-Droid.apk'
gpg: Signature made Tue 27 Oct 2020 03:09:30 AM EDT
gpg: using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
$ sha512sum F-Droid.apk*
d599c0a76ebfd61ba106f320b4b115363fa3047b2a01cfe0a33f906252599afefc230c8b44fc6a1c920f71a2169ab26c99d18705d8b41cd350759c6988adcb38 F-Droid.apk
6d7676f1acce1b29b9d892cab613f1dcbcec3539caf2f4109d0c7a284af4dd0c85713fc5d9a25a295ef3e76697043f50fa3eaa24bda7a91e5eec2c6287778106 F-Droid.apk.asc
Great, so we could write the procedure to do so on the page of the download! It will help a lot of people. It isn’t a trivial thing.
thanks for your quick answer. btw
Hi we are newbies and have been trying to verify the f-droid.apk. for the last 2 hrs or so.
Checking with Release Channels and Signing Keys | F-Droid - Free and Open Source Android App Repository
None of the MD5, SHA1 or SHA256 codes are the same as gtkhash produces from F-Droid.apk
The only number that pops up is the Subkey fingerprint by: gpg --verify F-Droid.apk.asc
We guess that is not good enough.
Many persons have been struggling with this, so we read. It seems no one till now has figured out how to verify. At least we haven’t. And none usable answer was found on the search engines! But even worse: it isn’t explained anywhere on the f-droid site!
So this F-Droid.apk.asc is just a gadget or a marketing trick?! To make people think: Oh GREAT LOOK AT THAT! Well i don’t have to check since they give a PGP Signature! It MUST be ok! Just go ahead!
Or is anybody able and so helpful to explain how this verification really works on a linux pc?
Hi SkewedZeppelin, we’ve followed the instructions. We get the same outcome. Yet how do we know this is the outcome needed? None of the numbers are equal. There is no confirmation. On top of that we get: gpg: Note: This key has expired!
I’m afraid we are none the wiser…