Could someone provide me step by step F-droid download verification under Windows using Kleopatra (for newbie)?
I downloaded apk from main page and also PGP Signature from the same page to folder ZZZ on my PC.
As far as I understood it is not enough, so I went to:
I went there, and to git repo and downloaded:
f-droid.org-signing-key.gpg to ZZZ folder.
I went to ZZZ folder on my computer, right clicked apk file-> more GpgEX options-> verify
I got info, that data cannot be checked.
But also that signature was created on 29Apr2020 with F-Droid firstname.lastname@example.org (41E7 044E 1DBA 2E89).
The key is not certified by you and trusted person.
I clicked audit diary and got info, that it was signed on
using RSA 7A029E54DD5DCE7A
that the key is valid given by F-Droid email@example.com’
Key is not signed by trusted signature, identity of the person who signed it is not confirmed.
Fingerprint of key: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Fingerprint of subkey: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
It seems that it is official binary release key, not git repo, as mention, but lI assume it was uploaded in later term.
Is apk verfiy or I need to check sth else?
I assume that key will always be untrusted when downloaded from the web?
How to check APK signing key, APK signing certificate fingerprint? Is it needed?
To confirm that the 1DBA2E89 firstname.lastname@example.org PGP key is trusted by the index JAR signing key that is built into the F-Droid client app, run these commands: (…)
I totally do not understand what to do. Is it even possible on Windows?