Where is the PGP Signature Verification App?

What? Are you seriously telling me it does not occur to you how easily the accuracy of such a script can be verified by comparing its results to other similar web resources and offline apps? As f0or that particular one it was just an example.

$ gpg --verify org.fdroid.fdroid_1013050.apk.asc org.fdroid.fdroid_1013050.apk

gpg: Signature made Fri 09 Jul 2021 12:08:47 PM EDT
gpg:                using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

Seems OK, but would seem better if “trusted” after confirming ownership and trusts over beers in a pub…


$ apksigner verify --verbose org.fdroid.fdroid_1013050.apk

Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1
WARNING: META-INF/androidx.activity_activity.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.annotation_annotation-experimental.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat-resources.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.arch.core_core-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

starts out good, but the many Warnings cause some concern. Can someone explain why the Warnings are OK?

PS. apksigner may be a g66gle tool, but maybe can be trusted because it also is available from Debian. :grin:

Compared to other APK sites, F-Droid has one of the best security systems.
Termux is a good app, The only downside is that it no longer supports Android 5 and 6.
You can also verify Termux with gnupg after installation, of course. Or with a computer or laptop before installation.

No it does not. The f-droid security model is total horse shit. There is no proper way for the public to verify the apps they download are legit and even those who know to install linux terminals and use the required command line instructions cannot even prove the f-droid signing key is even the f-droid sighning key and on top of that there is a whole bunch of warnings that the packages were not even properly signed to begin with and therefore modifications to them cannot be detected.

Come on
Keep arguing

Which app store(s) do you feel has better security than F-Droid?

This not too old issue may show the level of concern you should expect from F-Droid developers, particularly given the way you are posing your questions and complaints:

Maybe @hans would at least give you credit for being concerned or interested…

This also not too old post should point you to some useful reading materials.

FYI, ClassyShark3xodus app, available in F-Droid shows md5 and sha2x checksums and signature info for installed apk’s.

IANAD, but the warnings look to be common, unimportant, with available packaging solution:

https://github.com/nextcloud/android/issues/1569#issuecomment-354725484 , https://github.com/DroidKaigi/conference-app-2019/issues/268 , https://github.com/DroidKaigi/conference-app-2019/pull/264#issuecomment-452359301 , https://github.com/DroidKaigi/conference-app-2019/pull/641

Yes, but…

I had no luck with F-Droid.apk, unfortunately, and I see your screenshot was for something else.

  • The admin at f-droid dot org public key was saved in OpenKeyChain, after adding the ubuntu key server.
  • F-Droid.apk was downloaded.
  • Decrypt/Verify was opened.
  • F-Droid.apk was selected.


X Encountered an error reading input data
Processing input data
\ Attempting to process OpenPGP data
\ Encountered an error reading input data!

  • Downloaded F-Droid.apk again. Same result.

I had no luck with F-Droid.apk

That is actually disappointing.
@raven9 you were correct in that one regard and I apologize.

1 Like

No need to apologize. I did some more digging. I found this old Guardian project app still works. https://guardianproject.info/apps/info.guardianproject.checkey/
Use that app to select the installed f-droid app. It says it is signed by Cairan, the f-droid founder. Now if you use the menu dialogue to select signing key it loads the signing key’s SHA1 fingerprint into a seach box which is good because that fingerprint is what we need to verify it really is signed by Cairan’s cert because that info is also here https://f-droid.org/docs/Release_Channels_and_Signing_Keys/?title=Release_Channels_and_Signing_Keys

So checkey reports Ciaran’s signing key SHA1 fingerprint is:

f-droid site says it should be:

So they are the same which I guess is good. Unfortunately what does not look so good is the hosted apps are not also signed by that key, in fact although checkey reports they were all signed by f-droid I have yet to find two that were even signed by the same signing key.

Here are a few I checked together with their signing key fingerprints

Simple Mobile Tools - Notes

Simple Mobile Tools - File Manager Pro

Simple Mobile Tools - Gallery Pro


Just Player

So how many signing keys are being used to sign the f-droid builds and how do we establish if they are even valid f-droid keys? Anyone can make a signing key called f-droid. Are these keys subkeys of Ciaran’s cert?

1 Like

Every single app in F-Droid gets its own unique signing key as far as I am aware.
F-Droid has signatures to verify repositories, and repositories have signatures that verify their apps.

F-Droid thereby does a very good job at ensuring you install what was compiled by F-Droid and wasn’t tampered with by a third party along the way.

As long as you verify F-Droid itself and thoroughly verify any additional repositories you might add there is in theory no issue.

1 Like

Keys and certificate or signature hashes or fingerprints are being confused here, I believe.

You get to have and hash a public key. You get to have and hash a app package and associated certificate or signature. You don’t get to have or hash the private key used to make the signature or certificate. Not sure if you even get to see hashes of that key. Only GCHQ or NSA and friends have the computer power…supposedly.

For even more fun info’, try apps_Packages Info app: https://f-droid.org/en/packages/com.oF2pks.applicationsinfo/

Look under Signatures tab for each app. It has advantage of being 1 versus 5 years old, and no network permission or 3rd party site access, or confusion from what apps have been submitted.

Certificate or Signature hashes for different apps can be expected to be different.

For me, all results indicate the signing keys for apps from F-Droid are all the same, and from Guardian are all the same.

@SkewedZeppelin From DivestOS repo there some "Unknown"s listed. GmapsWV, Mull, as examples. System or default apps look better.

@ justsomeguy; No, they are the cert fingerprints. If you look under the signature tab in the ApplicationsInfo app you mentioned for f-droid you will see the following:

CN=Ciaran Gultnieks,OU=Unknown,O=Unknown,L=Wetherby,ST=Unknown,C=UK

Certificate fingerprints:
md5: 17c55c628056e193e95644e989792786
sha1: 05f2e65928088981b317fc9a6dbfe04b0fa13b4e
sha256: 43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab

The SHA1 fingerprint matches the one on this page https://f-droid.org/docs/Release_Channels_and_Signing_Keys/?title=Release_Channels_and_Signing_Keys

The fingerprints are hashes of the actual certificate you can calculate the f-droid cert fingerprint yourself using this tool. https://www.samltool.com/fingerprint.php You can see it doesn’t take the NSA to calculate a hash of a cert. It takes a split second and it calculates that same SHA1 fingerprint.

Aside from that I can’t imagine what you are doing if you are looking at the info in that app and believing the f-droid hosted apps are all signed with the same certificate. They obviously are not.

Download ClassyShark and Exodus https://f-droid.org/en/packages/com.oF2pks.classyshark3xodus/
and use it to scan F-Droid.
It would be useful to get F-Droid founder in this thread or at least the forum creator.
@hans @Licaon_Kter

I was referring to getting the private key from available public information.

Again, I don’t think we’re using the same language, so I’ll just add a couple comments on the procedure “To confirm that the 1DBA2E89 admin@f-droid.org PGP key is trusted by the index JAR signing key that is built into the F-Droid client app, run these commands:” on the Release Channels and Signing Keys page.

  • openjdk-8-jdk-headless is getting old. Substituting openjdk-11-jdk-headless (bullseye/testing) worked.
  • Gitlab doesn’t play well with Tor, so
    torify git clone https://gitlab.com/fdroid/fdroidclient gave 403 error (not entirely f-droid’s fault, aside from using someone else’s blocky Gitlab). git clone... worked.
  • All 3 instances of keytool -import ... gave warnings: “The input uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.” This is a long-known (2019 at least) issue: F-Droid apk signing key (SHA1) is vulnerable to SHAttered attack So yes, some improvements are needed. I note some signatures reported by Apps Package Info app are SHA256withRSA IIUC.
  • The step wget -O - https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der failed with “Cannot write to ‘-’ (Broken pipe).” Saving it as index.html, then cat index.html | openssl… worked.
  • Bottom line: 3 “jar verified.”

“was referring to getting the private key from available public information. Again, I don’t think we’re using the same language,”

We are using the same language but you seem not to understand the fingerprint has nothing to do with the private key. The fingerprint is simply a hash of the cert.

@raven9 You are referring to the checksum. Checksums are a way to ensure a file was not corrupted upon download and that your local file is the same as the online file. Changing any part of the code of the file changes the hash, so of course there is going to be a different hash for each program. PGP certificates are different and different apps can share the same key if they were signed with the same key. F-Droid claims to have all apps signed with their key, but they did not claim that all apps had the same hash, as that would require all apps to be exactly the same.
EDIT: Forgot to say how to verify PGP. In order to do that, you have to download F-Droid’s key here and then use that to verify each apk file in OpenKeyChain.
UPDATE: I just tried to verify both with OpenKeyChain and with Kleopatra on my PC and couldn’t do so. The release channels and signing page does not appear to provide an actual key to use, as copying and pasting the key doesn’t work (BER error).

That link goes to the “PGP Signature” for F-Droid apk, not to F-Droid’s public key. You have to retrieve the public key from somewhere like ubuntu’s key server, or a post somewhere if you can find one.

@ziproot No. I am referring to the fingerprint. The problem seems to be that none of you understand the fingerprint is a hash of the cert. I suggest you read this page https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/

There you will see the cert and the fingerprints.

Are you now aware F-Droid app itself does some signature verification, so your original premise is false?