/sdcard/Download $ gpg --keyserver-options auto-key-retrieve --verify F-Droid.apk.asc gpg: assuming signed data in ‘F-Droid.apk’
gpg: Signature made 2022-01-26 21:12:50 +0330 +0330
gpg: using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: key 41E7044E1DBA2E89: 1 duplicate signature removed
gpg: key 41E7044E1DBA2E89: public key “F-Droid admin@f-droid.org” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: Good signature from “F-Droid admin@f-droid.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
/sdcard/Download $
I find it and done that i got a good signature and i tried on parrot os live boot same i got good signature. Don’t know what is wrong in my default system. I have tried with live booting elementary same issue i find. There must be some issue. In which side i don’t know.
Hello, I am unable to open the asc and apk files in “Storage/Downloads” in Graphene OS on my mobile device to verify download of F-Droid.
I receive an “unable to open file” message when clicking on one file and a “permission not granted for downloading unknown app” for other.
Has anyone encountered this problem and found a solution?
I understand, maybe mistakenly, that if I trust the downloaded file, I may enable download anyway by applying settings.
Thank you for any time, comments and assistance, and apologies in advance if information needed has been left out.
Hey there,
I am new to GOS and I want to install my first apps via fdroid and want to verify the downloaded F-Droid.apk on GrapheneOS itself… The mentioned page from @Licaon_KterFdoid wiki simply states under the Android section: “Download the APK from the front page of https://f-droid.org, then run this:” followed by some code… soooo, yeah… my question is “HOW?”
Is there no build in Temrinal in GOS to run the code? Searched a bit an foudn that I could install a terminal… well VIA FDROID^^
Any ideas how to solve that circle? Thanks alot. Btw, thought GOS and Android is Linux based, isn´t there a terminal preinstalled?
Only solution I see is to download the apk via a Laptpo/PC with LInux, check it there an than copy it to my GOS phone via cable… okay, thats the point where I have to start choosing a linux distribution, create a bootable flash drive, install linux and so on…
So take a whole route round the world and also install some other stuff. This makes no sense whatsoever. Humble Request: never ever suggest something like this to anyone please.
It’s another source that came up when I searched for the F-Droid certificate hash on Google.
It’s helpful to check other sources because, if you use the same source to download both the file you want to verify and its key, an attacker that would be able to modify the file would also be able to modify the key, and a malicious file could pass the verification with the attacker’s key.
Actually, this advice could be added to the FAQ that you linked earlier. Should I make a pull request?
Many different ways are shown to verify signatures, which is good. However, the signature hashes themselves are also given on that page.
I am proposing to add a line just at the beginning of that section that advises the reader to obtain the signature hashes from a separate source than the F-Droid GitLab, which could be one of the links I posted earlier, or a post by F-Droid on a social media platform, or something else if you have a better idea.
Hahaha, yes you’re right. I didn’t think about this. Well at least it would educate the reader and follow good practices. Maybe a reader that learns to follow this advice on this page would avoid an attack when they attempt to install another piece of software later in their life.
you need those tools to verify, chicken and egg 
