Greetings F-Droid users, I’m finally de-Googling myself and looking forward to getting my mobile setup nicely with F-Droid. Also trying to do things properly and verify hashes before installing anything. Not much of a software guru though, so hoping for a bit of help with what’s hopefully and easy question:
After downloading the .apk from the main F-Droid site, where do I find the sha256 hash to check against?
I downloaded the .apk from the main F-Droid site, but when doing an “sha256sum FDroid.apk”, It doesn’t match any hashes on this page:
Is this the correct location or am I looking in the wrong places/missing something obvious?
The location is ocrrect, but thats not a sah256 sum for the apk. We
use gpg sigantures. Unfortunately I currently dont know which version
is available from the mainpage, but in general you can do this:
gpg: assuming signed data in `org.fdroid.fdroid_103150.apk'
gpg: Signature made So 14 Mai 2017 06:48:01 CEST using RSA key ID
DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>"
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA
2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D
CE7A
Thanks for the speedy reply! That makes sense, will try it out later today. And also try and learna bit more about GPG, still getting used to verification/key signing processes etc.
Thanks again.
Edit: Ok, so I grabbed the files and performed:
gpg --verify org.fdroid.fdroid_103150.apk.asc
First couple of lines were the same as you posted but I got error:
gpg: Can’t check signature: public key not found
instead of “Good signature”.
So I need the F-Droid public key, which is the top part of the “here is the whole certificate” section on the wiki page you linked, correct?
I’ve saved both just the key and the whole certificate as .txt and .gpg files then done:
gpg --import f-droid.txt
giving:
gpg: no valid OpenPGP data found.
Also, I’ve tried doing this to import the .asc file but get the same error.
Which bit am I misinterpreting this time? Sorry if these are basic problems for most around here.
i have exactly the same problem as wodnar (gpg: no valid OpenPGP data found.)
and would be glad, if someone could explain how we can import the required key.
after doing a few more searches on this, i found out, that it is possible to let gpg import the key from a public key server. wikipedia lists a few of these.
i don’t exactly recall how i managed this, but it involved searching for the key, importing it and verifying its signatures of the imported key.
gpg --verify FDroid.apk.asc FDroid.apk
says: ... gpg: using RSA key 7A029E54DD5DCE7A ...
so then, I did: gpg --keyserver pgp.mit.edu --recv-key 7A029E54DD5DCE7A
and then: gpg --verify FDroid.apk.asc FDroid.apk
says: ... gpg: using RSA key 7A029E54DD5DCE7A gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. ...
I guess this is still as secure as sha256sum (without a trusted GPG key).
Sorry if these are basic problems for most around here.