In regard to this statement by F-Droid: “It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.” I see there is a PGP signature provided with each apk, presumably this is a signature of the APK as signed data signed by the build server. Where to get the PGP public key the buildserver uses to sign built APKs?