SHA256 checksum of FDroid.apk

website

#1

Greetings F-Droid users, I’m finally de-Googling myself and looking forward to getting my mobile setup nicely with F-Droid. Also trying to do things properly and verify hashes before installing anything. Not much of a software guru though, so hoping for a bit of help with what’s hopefully and easy question:

After downloading the .apk from the main F-Droid site, where do I find the sha256 hash to check against?

I downloaded the .apk from the main F-Droid site, but when doing an “sha256sum FDroid.apk”, It doesn’t match any hashes on this page:
https://f-droid.org/wiki/page/Release_Channels_and_Signing_Keys

SHA256: 43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB)

Is this the correct location or am I looking in the wrong places/missing something obvious?


#2

Is this the correct location or am I looking in the wrong places/missing something obvious?

The location is ocrrect, but thats not a sah256 sum for the apk. We
use gpg sigantures. Unfortunately I currently dont know which version
is available from the mainpage, but in general you can do this:

wget -c https://f-droid.org/repo/org.fdroid.fdroid_103150.apk
wget -c https://f-droid.org/repo/org.fdroid.fdroid_103150.apk.asc
gpg --verify org.fdroid.fdroid_103150.apk.asc

The results should look similar to this:

gpg: assuming signed data in `org.fdroid.fdroid_103150.apk'
gpg: Signature made So 14 Mai 2017 06:48:01 CEST using RSA key ID
DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>"
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA
2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D
CE7A

Then you should compare the primary (and secondary) key fingerprints
with those listed on https://f-droid.org/wiki/page/Release_Channels_and_Signing_Keys
for the client app.


#3

Thanks for the speedy reply! That makes sense, will try it out later today. And also try and learna bit more about GPG, still getting used to verification/key signing processes etc.
Thanks again.

Edit: Ok, so I grabbed the files and performed:

gpg --verify org.fdroid.fdroid_103150.apk.asc

First couple of lines were the same as you posted but I got error:

gpg: Can’t check signature: public key not found

instead of “Good signature”.
So I need the F-Droid public key, which is the top part of the “here is the whole certificate” section on the wiki page you linked, correct?
I’ve saved both just the key and the whole certificate as .txt and .gpg files then done:

gpg --import f-droid.txt

giving:

gpg: no valid OpenPGP data found.

Also, I’ve tried doing this to import the .asc file but get the same error.
Which bit am I misinterpreting this time? :slight_smile: Sorry if these are basic problems for most around here.


#4

I am sorry to tell you, I don’t see any apps on f-droid is signed other than SHA1 with GPG.


#5

hi,

i have exactly the same problem as wodnar (gpg: no valid OpenPGP data found.)
and would be glad, if someone could explain how we can import the required key.

thank you!


#6

I’m as well not able to find the public key… So I can’t verify the pgp signature.

Why don’t you just publish your public key in yout github or gitlab repo?

Or where is your pub key available?


#7

after doing a few more searches on this, i found out, that it is possible to let gpg import the key from a public key server. wikipedia lists a few of these.
i don’t exactly recall how i managed this, but it involved searching for the key, importing it and verifying its signatures of the imported key.

hth


#8

gpg --verify FDroid.apk.asc FDroid.apk
says:
... gpg: using RSA key 7A029E54DD5DCE7A ...
so then, I did:
gpg --keyserver pgp.mit.edu --recv-key 7A029E54DD5DCE7A
and then:
gpg --verify FDroid.apk.asc FDroid.apk
says:
... gpg: using RSA key 7A029E54DD5DCE7A gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. ...

I guess this is still as secure as sha256sum (without a trusted GPG key).