I was referring to getting the private key from available public information.
Again, I don’t think we’re using the same language, so I’ll just add a couple comments on the procedure “To confirm that the 1DBA2E89 admin@f-droid.org PGP key is trusted by the index JAR signing key that is built into the F-Droid client app, run these commands:” on the Release Channels and Signing Keys page.
- openjdk-8-jdk-headless is getting old. Substituting openjdk-11-jdk-headless (bullseye/testing) worked.
- Gitlab doesn’t play well with Tor, so
torify git clone https://gitlab.com/fdroid/fdroidclientgave 403 error (not entirely f-droid’s fault, aside from using someone else’s blocky Gitlab).git clone...worked. - All 3 instances of
keytool -import ...gave warnings: “The input uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.” This is a long-known (2019 at least) issue: F-Droid apk signing key (SHA1) is vulnerable to SHAttered attack So yes, some improvements are needed. I note some signatures reported by Apps Package Info app are SHA256withRSA IIUC. - The step
wget -O - https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.derfailed with “Cannot write to ‘-’ (Broken pipe).” Saving it as index.html, then cat index.html | openssl… worked. - Bottom line: 3 “jar verified.”