PGP-signature of F-Droid.apk

**Mr.T** · June 4, 2019, 12:54pm

Hi,

this topic is linked to SHA256 checksum of FDroid.apk, which however, didn’t resolve my question and is closed, anyway.

I have a question with regard to the usage of a publically available pgp
key server, e.g. http://pgp.uni-mainz.de/
to verify the downloaded apk file (FDroid.apk) with the help of the
provided .asc-file at https://f-droid.org/

A verification with the file FDroid.apk.asc gives:

gpg --verify FDroid.apk.asc
gpg: assuming signed data in ‘FDroid.apk’
gpg: Signature made Do 11 Apr 2019 14:41:19 CEST
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Can’t check signature: No public key

To check the identity of the issuer/owner of the RSA key 7A029E54DD5DCE7A
I searched at http://pgp.uni-mainz.de/
and
http://pgp.uni-mainz.de/pks-commands.html
respectively via the “Search String” - which led to no result.

Adding “0x” to 7A029E54DD5DCE7A led to the result:
http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=index&search=0x7A029E54DD5DCE7A

There you get the results:

(1) download the public key for “0x41e7044e1dba2e89”

http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=get&search=0x41E7044E1DBA2E89

(2) or you can open the “Search results for ‘0x41e7044e1dba2e89’”:
http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex&search=0x41E7044E1DBA2E89

However, I am not able to see the link to my query “0x7A029E54DD5DCE7A”.
How can these results be used to verify the download?

The forum provides help at

with
gpg --keyserver … --recv-key 7A029E54DD5DCE7A
but I am not able to verify which key exactly is downloaded - which should be the idea of the chosen procedure.

Can you help with that issue? Thanks in advance.

**webDev** · June 5, 2019, 9:43am

Yes. I do agree it. It does become difficult to trust the PGP signing alone if you are not in a wide “web of trust” as they say. Part of me thinks that I should hold a “key signing party”. Yes, that’s a thing apparently.

If the public key was published on the gitlab that might help. Some further questions that one might ask is, “Is Gitlab indexed by search engines?” and “Is Gitlab easily accessible via privacy browsers like Tor?”

**Mr.T** · June 16, 2019, 7:40pm

Thanks webDev for your reply. However, I do not understand the issue of holding a “key signing party”. I thought the consulting of a public key server (like that of http://pgp.uni-mainz.de/) should close that gap and provide the trust in the key, which was used for signing.
In my understanding the issue concentrates in the line

gpg: using RSA key 7A029E54DD5DCE7A

and the verification of that key
(for which the above mentioned queries
(1) searching for “7A029E54DD5DCE7A” at http://pgp.uni-mainz.de/pks-commands.html
(2) http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=index&search=0x7A029E54DD5DCE7A
in my eyes do not provide direct results regarding the owner of the key “7A029E54DD5DCE7A”)

Or am I completely wrong with my understanding of the whole procedure, or missing essential parts in interpreting the results of the queries at the key servers?
Any help is appreciated!

**webDev** · June 17, 2019, 8:10am

You seem to know more about this than me, I’m new here. Only joined recently to try and improve the landing page of the F-Droid website.

This is actually something that interests me also. So from what I can gather from the above you are saying that the devs have not published their key to a keyserver, that you are aware of.

I admit I have a public key that I haven’t published to a keyserver, mainly because I’m concerned that the email address will be spammed with encrypted spam. Maybe that would be a small price to pay perhaps for having anyone out of the blue send me an encrypted message, but it just isn’t a priority for me. Having said that maybe this F-Droid Team could use a key without an email address. I don’t know if this is a factor in their reasoning.

Maybe the key they use is only to show consistancy, ie. the same developer that you trusted before is publishing this new version, so therefore you can trust this new version also. Does that make sense?

I’m not an expert in this field by any means. The app development team should probably reply to your questions. I’m interested to know their reasoning.

(As a sidenote, I have noticed that this forum itself is a magnet for spammers, every other day I seem to get a sophisticated spam message that looks normal and that writes in the forum in a way that you would expect, but the links that they provide are dodgy. Have you noticed that Mr. T? Or is it just me? Sometimes I will come back to the forum and the message will not be on here at all. Maybe it was deleted by an Admin? This is a side issue but I thought I’d mention it as reasoning for the point I made about spam (and possibly malicious) emails.)

**Mr.T** · June 17, 2019, 7:31pm

Well, I am new to this forum, too. So I am a bit afraid, that I am asking a question that have already been replied to in another post.

This is what I think, too. Or, I am not able to interpret the results in the correct way, trying to build a link to the RSA key, provided in the FDroid.apk.asc-file:

Regarding your sidenote: I haven’t made these experiences, yet. But this is my first post in this forum, so this might not be representative. The above links should lead to the public key server of the University of Mainz and help to facilitate my reasoning.

**webDev** · June 18, 2019, 6:28pm

pgp.mit.edu don’t seem to have it either.

I did a few searches and everyone seems to be using apks signed by it. Or the ones signed by it have the same “shasum -a 256” (Do others get the same hashsum of F-Droid's apk?)

So guessing that you are safe. Would have been nice if someone jumped on here to put your concern to rest but I’m having the same disinterest in my thread. Maybe it’s the summer fun that everyone is having in the northern hemisphere or something haha.