It looks like the F-Droid signing key is not reachable from the strong set of the network of trust (i.e. there is no valid path of signatures from the largest connected component of the network of trust to the F-Droid key), so I am having hard times establishing trust to the key.
What other sources/proofs (other than the F-Droid documentation) are there which could be used to establish trust to the F-Droid signing key?
I like the idea of building a web of trust around F-Droids repo key.
@hans Yet another great incentive to pursue your idea about a developer summit. Could be a great chance for sign-keys with Ciaran.
It would be nice to have. I’m assuming this is about the PGP signing key. That key is only a minor, optional part of the security model of F-Droid. The index signing key is what fdroidclient depends on to ensure the contents are unchanged. That’s been built into F-Droid client since early 2011: Use signed repo immediately on new install (although it will auto-switch to it anyway (e12ecbdb) · Commits · F-Droid / Client · GitLab
Thanks for the replies and your efforts to improve the security of F-Droid. However, I get the impression that you are talking of using PGP keys for F-Droid repositories, whereas my concern is the F-Droid client itself.
As long as the PGP key which is used to sign the F-Droid APK is not reachable from a key I trust and its fingerprint is not validated by other sources (e.g. blogs of developers, slides in public talks etc.), the only source of trust to the F-Droid APK is the F-Droid website, so PGP does not add any extra security to the existing HTTPS infrastructure. (And I personally find extra checks like PGP signatures important because though unlikely, the web server which serves the APK or the certificate authority who provides the SSL certificates might be compromised.)
Yes, its true that the PGP signature would be useful to verify the initial download.
Another way to do that would be to try reproducing the F-Droid app build using fdroid verify.