I trying to find a way to verify apk files I download from F-Droid. I see there is a PGP signature provided with each apk, but I dont know how to implement it for apk verification? I’ve read couple old threads here on forum regarding verification or actually lack of straight forward way to do it.
Is it still the case? Decrypting F-Droid apk in Openkeyvhain results in a crash. Log refers to issues with the apk or it’s encryption. Same fail with Simplex app.
Got a mismatch of sha256 on some non android important app earlier today and decided to verify all apps I am using.
In agreement with @waino the original poster: "I see there is a PGP signature provided with each apk, " presumably this is the strong contributing factor to the statement in each APK download section: “It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.” I can’t figure out how to check the PGP signature. The key for the F-Droid.apk does not verify another APK. What key is used to check another APK? I tried using the same key used to verify the FDroid APK to verify against the individual APKs which you download using the FDroid APK as the original poster has said each of those do have a PGP signature but they do not verify so the question is presumably what PGP keys are used to sign every individual app I would suppose presumably it’s a key from the buildserver of which builds it which automatically signs it during the process of building it.
It seems that this has wrongly been marked solved hence my findings is that original poster’s first paragraph is the same question I have: how do you verify the individual APKs downloaded is yet unsolved I attempted to use the same signing key used to verify the FDroid app and it does not check out therefore if this was marked solve in the past @m999 's post would suggest that given the answer which was marked solved by @Licoan_kter did indeed use the same PGP signing key that the Fdroid APK was signed with however now my findings indicate that it does not because it does not check out.
It seems that this has wrongly been marked solved hence my findings is that original poster’s first paragraph is the same question I have: how do you verify the individual APKs downloaded is yet unsolved I attempted to use the same signing key used to verify the FDroid app and it does not check out therefore if this was marked solve in the past @m999 's post would suggest that given the answer which was marked solved by @Licoan_kter did indeed use the same PGP signing key that the Fdroid APK was signed with however now my findings indicate that it does not because it does not check out.
In regard to this statement by F-Droid: “It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.” I see there is a PGP signature provided with each apk, presumably this is a signature of the APK as signed data signed by the build server. Where to get the PGP public key the buildserver uses to sign built APKs?
I’d rather not have my post hidden under a thread marked as solved. @m999 I did check the apk with the main fdroid key it works for checking the F-Droid.apk but not another app. Do you have any example of a known good .pgp signature of a recently uodated app?
@Licaon_Kter I just checked on what was probably hash mismatching and it seems tk check out KeepassDX I have had problems with before making me lose passwords. Pretty important apl you would guess it is a target. They may have already derailed me I was getting hash mismatches on first install and you can’t really see what F-Droid is doing. This is may be like the secondary root of trust that now checks out. When did fdroid reissued pgp key last? Sortof like fakeGoogle where gstatic.com javascript takes your password and relays it to realGoogle (secondary root of trust).
I usually just compare the SHA-256 hash with the one provided on the release page if I want to be extra sure. It sounds a bit technical at first, but once you do it a couple of times it’s actually pretty quick and reassuring.