I have a question with regard to the usage of a publically available pgp
key server, e.g. http://pgp.uni-mainz.de/
to verify the downloaded apk file (FDroid.apk) with the help of the
provided .asc-file at https://f-droid.org/
A verification with the file FDroid.apk.asc gives:
gpg --verify FDroid.apk.asc
gpg: assuming signed data in ‘FDroid.apk’
gpg: Signature made Do 11 Apr 2019 14:41:19 CEST
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Can’t check signature: No public key
However, I am not able to see the link to my query “0x7A029E54DD5DCE7A”.
How can these results be used to verify the download?
The forum provides help at
with
gpg --keyserver … --recv-key 7A029E54DD5DCE7A
but I am not able to verify which key exactly is downloaded - which should be the idea of the chosen procedure.
Yes. I do agree it. It does become difficult to trust the PGP signing alone if you are not in a wide “web of trust” as they say. Part of me thinks that I should hold a “key signing party”. Yes, that’s a thing apparently.
If the public key was published on the gitlab that might help. Some further questions that one might ask is, “Is Gitlab indexed by search engines?” and “Is Gitlab easily accessible via privacy browsers like Tor?”
Thanks webDev for your reply. However, I do not understand the issue of holding a “key signing party”. I thought the consulting of a public key server (like that of http://pgp.uni-mainz.de/) should close that gap and provide the trust in the key, which was used for signing.
In my understanding the issue concentrates in the line
Or am I completely wrong with my understanding of the whole procedure, or missing essential parts in interpreting the results of the queries at the key servers?
Any help is appreciated!
You seem to know more about this than me, I’m new here. Only joined recently to try and improve the landing page of the F-Droid website.
This is actually something that interests me also. So from what I can gather from the above you are saying that the devs have not published their key to a keyserver, that you are aware of.
I admit I have a public key that I haven’t published to a keyserver, mainly because I’m concerned that the email address will be spammed with encrypted spam. Maybe that would be a small price to pay perhaps for having anyone out of the blue send me an encrypted message, but it just isn’t a priority for me. Having said that maybe this F-Droid Team could use a key without an email address. I don’t know if this is a factor in their reasoning.
Maybe the key they use is only to show consistancy, ie. the same developer that you trusted before is publishing this new version, so therefore you can trust this new version also. Does that make sense?
I’m not an expert in this field by any means. The app development team should probably reply to your questions. I’m interested to know their reasoning.
(As a sidenote, I have noticed that this forum itself is a magnet for spammers, every other day I seem to get a sophisticated spam message that looks normal and that writes in the forum in a way that you would expect, but the links that they provide are dodgy. Have you noticed that Mr. T? Or is it just me? Sometimes I will come back to the forum and the message will not be on here at all. Maybe it was deleted by an Admin? This is a side issue but I thought I’d mention it as reasoning for the point I made about spam (and possibly malicious) emails.)
Well, I am new to this forum, too. So I am a bit afraid, that I am asking a question that have already been replied to in another post.
This is what I think, too. Or, I am not able to interpret the results in the correct way, trying to build a link to the RSA key, provided in the FDroid.apk.asc-file:
Regarding your sidenote: I haven’t made these experiences, yet. But this is my first post in this forum, so this might not be representative. The above links should lead to the public key server of the University of Mainz and help to facilitate my reasoning.
So guessing that you are safe. Would have been nice if someone jumped on here to put your concern to rest but I’m having the same disinterest in my thread. Maybe it’s the summer fun that everyone is having in the northern hemisphere or something haha.