I think you just can hash both files and that’s all, right? Hash Droid
org.telegram.messenger_22065.apk / SHA256: B0FD1D299F580D2319BD181048C3C2F3F6EF6135FEADD582252828C68DE654E1
Anyway, public key is here: F-Droid's PGP key has expired - #4 by hans
(Or search in keyservers) ID: 41E7 044E 1DBA 2E89
Fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
It should not be called repo.apk I think, maybe you should try with another browser.