Where is the PGP Signature Verification App?

I had no luck with F-Droid.apk

Huh.
That is actually disappointing.
@raven9 you were correct in that one regard and I apologize.

1 Like

No need to apologize. I did some more digging. I found this old Guardian project app still works. Checkey: info on local apps - Guardian Project
Use that app to select the installed f-droid app. It says it is signed by Cairan, the f-droid founder. Now if you use the menu dialogue to select signing key it loads the signing key’s SHA1 fingerprint into a seach box which is good because that fingerprint is what we need to verify it really is signed by Cairan’s cert because that info is also here Release Channels and Signing Keys | F-Droid - Free and Open Source Android App Repository

So checkey reports Ciaran’s signing key SHA1 fingerprint is:
05F2E65928088981B317FC9A6DBFE04B0FA13B4E

f-droid site says it should be:
05:F2:E6:59:28:08:89:81:B3:17:FC:9A:6D:BF:E0:4B:0F:A1:3B:4E

So they are the same which I guess is good. Unfortunately what does not look so good is the hosted apps are not also signed by that key, in fact although checkey reports they were all signed by f-droid I have yet to find two that were even signed by the same signing key.

Here are a few I checked together with their signing key fingerprints

Simple Mobile Tools - Notes
3497FCD30C3AF1EFCCF9A7C00442096B89F5CA5B

Simple Mobile Tools - File Manager Pro
E9F4B92CE262D87C0E1CD77DC8F6AF5A4022AC7F

Simple Mobile Tools - Gallery Pro
3A49F04CF77C7AEBA9A403DDF94146C2DAE4BEED

OpenKeyChain
15C13AAB38E8D48BC759BBFF7A3A3A3E425AB6AA

Just Player
C2A55E62E6F9FC10BD16F16178EA7B1DCDC17F82

So how many signing keys are being used to sign the f-droid builds and how do we establish if they are even valid f-droid keys? Anyone can make a signing key called f-droid. Are these keys subkeys of Ciaran’s cert?

1 Like

Every single app in F-Droid gets its own unique signing key as far as I am aware.
F-Droid has signatures to verify repositories, and repositories have signatures that verify their apps.

F-Droid thereby does a very good job at ensuring you install what was compiled by F-Droid and wasn’t tampered with by a third party along the way.

As long as you verify F-Droid itself and thoroughly verify any additional repositories you might add there is in theory no issue.

1 Like

Keys and certificate or signature hashes or fingerprints are being confused here, I believe.

You get to have and hash a public key. You get to have and hash a app package and associated certificate or signature. You don’t get to have or hash the private key used to make the signature or certificate. Not sure if you even get to see hashes of that key. Only GCHQ or NSA and friends have the computer power…supposedly.

For even more fun info’, try apps_Packages Info app: apps_Packages Info - Updated ApplicationsInfos (² | F-Droid - Free and Open Source Android App Repository

Look under Signatures tab for each app. It has advantage of being 1 versus 5 years old, and no network permission or 3rd party site access, or confusion from what apps have been submitted.

Certificate or Signature hashes for different apps can be expected to be different.

For me, all results indicate the signing keys for apps from F-Droid are all the same, and from Guardian are all the same.

@SkewedZeppelin From DivestOS repo there some "Unknown"s listed. GmapsWV, Mull, as examples. System or default apps look better.

@ justsomeguy; No, they are the cert fingerprints. If you look under the signature tab in the ApplicationsInfo app you mentioned for f-droid you will see the following:

CN=Ciaran Gultnieks,OU=Unknown,O=Unknown,L=Wetherby,ST=Unknown,C=UK

Certificate fingerprints:
md5: 17c55c628056e193e95644e989792786
sha1: 05f2e65928088981b317fc9a6dbfe04b0fa13b4e
sha256: 43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab

The SHA1 fingerprint matches the one on this page Release Channels and Signing Keys | F-Droid - Free and Open Source Android App Repository

The fingerprints are hashes of the actual certificate you can calculate the f-droid cert fingerprint yourself using this tool. SAML X.509 Certificate Fingerprint - Online SHA1 Decoder | SAMLTool.com You can see it doesn’t take the NSA to calculate a hash of a cert. It takes a split second and it calculates that same SHA1 fingerprint.

Aside from that I can’t imagine what you are doing if you are looking at the info in that app and believing the f-droid hosted apps are all signed with the same certificate. They obviously are not.

Download ClassyShark and Exodus ClassyShark3xodus - Scan apps for warnings | F-Droid - Free and Open Source Android App Repository
and use it to scan F-Droid.
It would be useful to get F-Droid founder in this thread or at least the forum creator.
@hans @Licaon_Kter

I was referring to getting the private key from available public information.

Again, I don’t think we’re using the same language, so I’ll just add a couple comments on the procedure “To confirm that the 1DBA2E89 admin@f-droid.org PGP key is trusted by the index JAR signing key that is built into the F-Droid client app, run these commands:” on the Release Channels and Signing Keys page.

  • openjdk-8-jdk-headless is getting old. Substituting openjdk-11-jdk-headless (bullseye/testing) worked.
  • Gitlab doesn’t play well with Tor, so
    torify git clone https://gitlab.com/fdroid/fdroidclient gave 403 error (not entirely f-droid’s fault, aside from using someone else’s blocky Gitlab). git clone... worked.
  • All 3 instances of keytool -import ... gave warnings: “The input uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.” This is a long-known (2019 at least) issue: F-Droid apk signing key (SHA1) is vulnerable to SHAttered attack So yes, some improvements are needed. I note some signatures reported by Apps Package Info app are SHA256withRSA IIUC.
  • The step wget -O - https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der failed with “Cannot write to ‘-’ (Broken pipe).” Saving it as index.html, then cat index.html | openssl… worked.
  • Bottom line: 3 “jar verified.”

“was referring to getting the private key from available public information. Again, I don’t think we’re using the same language,”

We are using the same language but you seem not to understand the fingerprint has nothing to do with the private key. The fingerprint is simply a hash of the cert.

@raven9 You are referring to the checksum. Checksums are a way to ensure a file was not corrupted upon download and that your local file is the same as the online file. Changing any part of the code of the file changes the hash, so of course there is going to be a different hash for each program. PGP certificates are different and different apps can share the same key if they were signed with the same key. F-Droid claims to have all apps signed with their key, but they did not claim that all apps had the same hash, as that would require all apps to be exactly the same.
EDIT: Forgot to say how to verify PGP. In order to do that, you have to download F-Droid’s key here and then use that to verify each apk file in OpenKeyChain.
UPDATE: I just tried to verify both with OpenKeyChain and with Kleopatra on my PC and couldn’t do so. The release channels and signing page does not appear to provide an actual key to use, as copying and pasting the key doesn’t work (BER error).

That link goes to the “PGP Signature” for F-Droid apk, not to F-Droid’s public key. You have to retrieve the public key from somewhere like ubuntu’s key server, or a post somewhere if you can find one.

@ziproot No. I am referring to the fingerprint. The problem seems to be that none of you understand the fingerprint is a hash of the cert. I suggest you read this page Release Channels and Signing Keys | F-Droid - Free and Open Source Android App Repository

There you will see the cert and the fingerprints.

Are you now aware F-Droid app itself does some signature verification, so your original premise is false?

Agree. Like it or not :wink:: the human factor will remain the weakest link, ever. In whose ear will you whisper the master password of your key vault once you’re on your death bed?
Ever believed the world and who are on it is a trustworthy place? Wake up and make the best of it —and of encryption as well.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

I’ve downloaded the latest APK file for F-Droid along with its respective ASC file. If I try typing

gpg --verify org.fdroid.fdroid_1016052.apk.asc org.fdroid.fdroid_1016051.apk

it gives me these results:

gpg: Signature made Wed 29 Mar 2023 03:55:29 AM MDT
gpg:                using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: Can't check signature: No public key

How am I supposed to get this public key? There isn’t an obvious place anywhere on the website to find it. It’d be nice if there were some checksums or something I could verify with instead, since that would make things a million times easier.

I’m on EndeavourOS.

EDIT: I found this earlier. Are these instructions the official ones? FAQ · Wiki · F-Droid / wiki · GitLab

1 Like

You might be interested in the following thread, it was my efforts to get to the bottom of this a few years ago. You’ll see I got quite irritated at what I saw as disingenuous comments from certain members of this forum who appeared to be more concerned with deflecting than advocating for the kind of transparent security features you are asking about.

Your command uses the wrong .asc file… look at its name :slight_smile:

If they are in the official site :slight_smile:

Is it important? I tried to look into it, but atm it seems to be way above my capabilities (I’m not well versed in IT). I don’t even have an app installed that can open the key and don’t know where I could get one to do so.
Is it something that I can optionally do to get an extra level of security, or am I putting my Smartphone/privacy at great risk if I don’t do it?

Please do: FAQ · Wiki · F-Droid / wiki · GitLab