I am trying to install the F-Droid app on my Android device.
I have downloaded the apk and PGP sign from the F-Droid start page and followed the steps detailed here: SHA256 checksum of FDroid.apk
When I verify the apk file against the PGP signature I get:
gpg --verify FDroid.apk.asc FDroid.apk
gpg: Signature made Fri 10 Aug 2018 08:53:03 PM CEST
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
The signature seems to be valid and its fingerprints matches the values written on this page:
However when I try to check the shasum. I get the following:
shasum -a 256 'FDroid.apk'
a8f7d9a92f79b7579a77f1163028f9e131fe3b2e4471512e39b5e335be7baf26
This latter value does not match any of the shasum values posted on the latter mentioned link (Release Channels and Signing Keys). Either I do not know how to verify the APK signing key.
Does anyone knows how can I finish to verify the integrity of the FDroid.apk that I downloaded and hence being sure that it has not been tampered?
Thanks for your answer. Yeah, that was the same link from where I downloaded the apk. Glad to hear that I have the correct shasum value.
Regarding the “Release Channels and Signing Keys” site,
I think you are right, I think I might have got confussed with the signing key sha256sum (43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB).
Do you think I can safely proceed to install the apk on my Android device? I tried to verify the signing key (37D2C98789D8311948394E3E41E7044E1DBA2E89?) however I really do not know how to do that. I think it is explained in this part of the “Release Channels and Singing Keys” web:
sudo apt-get install wget vim-common unzip openjdk-8-jdk-headless
wget https://f-droid.org/assets/admin@f-droid.org.jar
# verify against the key embedded in fdroidclient
git clone https://gitlab.com/fdroid/fdroidclient
grep -m1 -Eo '3082035e[0-9a-f]+' fdroidclient/app/src/main/res/values/default_repos.xml | xxd -r -p - > fdroidclient.der
keytool -import -noprompt -trustcacerts -alias fdroidclient -storepass android -file fdroidclient.der -keystore fdroidclient.jks
jarsigner -keystore fdroidclient.jks -storepass android -strict -verify admin@f-droid.org.jar
# verify against the key that signed the index.jar
wget https://f-droid.org/repo/index.jar
unzip -p index.jar META-INF/CIARANG.RSA | openssl pkcs7 -print_certs -inform DER -out index.cer
keytool -import -noprompt -trustcacerts -alias index -storepass android -file index.cer -keystore index.jks
jarsigner -keystore index.jks -storepass android -strict -verify admin@f-droid.org.jar
# verify against the key that is embedded in this page
wget -O - https://f-droid/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der
keytool -import -noprompt -trustcacerts -alias docs -storepass android -file docs.der -keystore docs.jks
jarsigner -keystore docs.jks -storepass android -strict -verify admin@f-droid.org.jar
# when satisfied with the verification, import it
unzip admin@f-droid.org.jar admin@f-droid.org.asc
gpg --import admin@f-droid.org.asc
Sadly I have not a great background on computer technical matters so everything there looks a bit confusing to me.