Hi,
this topic is linked to SHA256 checksum of FDroid.apk, which however, didn’t resolve my question and is closed, anyway.
I have a question with regard to the usage of a publically available pgp
key server, e.g. http://pgp.uni-mainz.de/
to verify the downloaded apk file (FDroid.apk) with the help of the
provided .asc-file at https://f-droid.org/
A verification with the file FDroid.apk.asc gives:
gpg --verify FDroid.apk.asc
gpg: assuming signed data in ‘FDroid.apk’
gpg: Signature made Do 11 Apr 2019 14:41:19 CEST
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Can’t check signature: No public key
To check the identity of the issuer/owner of the RSA key 7A029E54DD5DCE7A
I searched at http://pgp.uni-mainz.de/
and
http://pgp.uni-mainz.de/pks-commands.html
respectively via the “Search String” - which led to no result.
Adding “0x” to 7A029E54DD5DCE7A led to the result:
http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=index&search=0x7A029E54DD5DCE7A
There you get the results:
(1) download the public key for “0x41e7044e1dba2e89”
http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=get&search=0x41E7044E1DBA2E89
(2) or you can open the “Search results for ‘0x41e7044e1dba2e89’”:
http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex&search=0x41E7044E1DBA2E89
However, I am not able to see the link to my query “0x7A029E54DD5DCE7A”.
How can these results be used to verify the download?
The forum provides help at
with
gpg --keyserver … --recv-key 7A029E54DD5DCE7A
but I am not able to verify which key exactly is downloaded - which should be the idea of the chosen procedure.
Can you help with that issue? Thanks in advance.