I also struggled with how to make use of the PGP signature provided with the download.
A site for an unrelated application (Veracrypt) has what I have found to be a straightforward write-up of the sequence of commands: VeraCrypt - Free Open source disk encryption with strong security for the Paranoid
By following along with that here’s what I did that seems to yield sane results:
- I copied what appears to be the current F-Droid PGP public key from this other post on the forum.
I saved the content to a file (Ex.f-droid_public.asc) - I did a ‘test-only’ import to be able to view the details of the saved public key
$ gpg --import --import-options show-only f-droid_public.asc
pub rsa4096 2014-04-25 [C]
37D2C98789D8311948394E3E41E7044E1DBA2E89
uid F-Droid <admin@f-droid.org>
sub rsa3072 2014-04-25 [S] [expires: 2021-04-24]
sub rsa3072 2014-04-25 [E] [expires: 2021-04-24]
- Once satisfied that the content looks reasonable and fingerprint is what is expected I did the actual import.
$ gpg --import f-droid_public.asc
gpg: key 41E7044E1DBA2E89: public key "F-Droid <admin@f-droid.org>" imported
gpg: Total number processed: 1
gpg: imported: 1`
- Finally now the downloaded signature can be checked.
(Note: FDroid.apk and FDroid.apk.asc downloaded to same folder)
$ gpg --verify FDroid.apk.asc
gpg: assuming signed data in 'FDroid.apk'
gpg: Signature made Thu 11 Apr 2019 08:41:19 AM EDT
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
Obtaining the public key this way perhaps isn’t the ideal procedure to establish ‘trust’ of the public key but it seems PGP’s ‘web of trust’ is going through a crisis (see below) and this may be the best that can be done via PGP for now.
Some additional info:
Since last year there has been an attack on the PGP SKS keyserver network. (A web search should yield more info if curious…)
There is a keyserver that is not part of the network and behaves in a way that avoids the particular attack/exploit of SKS keyservers at https://keys.openpgp.org
There seems to be some sort of unusable version of the F-Droid public key on keys.openpgp.org. This server has an e-mail verification opt-in process before allowing download of ID information so perhaps F-Droid team hasn’t been able to do this process.
Given the attack on SKS keyservers I was not going to download any keys from any other servers.