Could someone provide me step by step F-droid download verification under Windows using Kleopatra (for newbie)?
I downloaded apk from main page and also PGP Signature from the same page to folder ZZZ on my PC.
As far as I understood it is not enough, so I went to:
I went there, and to git repo and downloaded:
f-droid.org-signing-key.gpg to ZZZ folder.
I went to ZZZ folder on my computer, right clicked apk file-> more GpgEX options-> verify
I got info, that data cannot be checked.
But also that signature was created on 29Apr2020 with F-Droid admin@f-droid.org (41E7 044E 1DBA 2E89).
The key is not certified by you and trusted person.
I clicked audit diary and got info, that it was signed on
04/29/20 08:09:09
using RSA 7A029E54DD5DCE7A
that the key is valid given by F-Droid admin@f-droid.org’
Key is not signed by trusted signature, identity of the person who signed it is not confirmed.
Fingerprint of key: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Fingerprint of subkey: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
It seems that it is official binary release key, not git repo, as mention, but lI assume it was uploaded in later term.
Is apk verfiy or I need to check sth else?
I assume that key will always be untrusted when downloaded from the web?
How to check APK signing key, APK signing certificate fingerprint? Is it needed?
Considering this:
To confirm that the 1DBA2E89 admin@f-droid.org PGP key is trusted by the index JAR signing key that is built into the F-Droid client app, run these commands: (…)
I totally do not understand what to do. Is it even possible on Windows?
You need to verify the signature (F-Droid.apk.asc). And the F-Droid.apk needs to be in the same directory.
To verify the signature you need the public key from F-Droid.
That is this one here:
If you have the key you need to trust that this key is really from the F-Droid team and not from someone else. Generally a key is marked as trusted if you manually mark it as trusted (when you got the key from a trustable source) or if the key got signed by someone who you trust.
Then you can start verifying signatures created by that key.
So now the big question is, how can you trust a key?
That’s what all these commands are for.
They check if the key embedded in fdroidclient, the key that signed the index.jar and the key that is embedded in the f-droid.org page are all the same.
These commands are one option to gain trust in a key. Generally there are more options. You can read about that e.g. here (don’t be confused about the word certificate. It’s basically the same as a key plus some additional data)
So back to the commands:
Running these commands in Windows is not possible because this is meant to be run in a Linux terminal.
For Windows you would need to install or replace these commands with some native Windows tool or install a 3rd party tool
So you could search for replacement tools but that would need quite some time and it is generally messy and not nice. So the better way would be to use Linux.
You could use Linux in a virtual machine or you can use Windows Subsystem for Linux:
