Which app store(s) do you feel has better security than F-Droid?
This not too old issue may show the level of concern you should expect from F-Droid developers, particularly given the way you are posing your questions and complaints:
Maybe @hans would at least give you credit for being concerned or interested…
This also not too old post should point you to some useful reading materials.
FYI, ClassyShark3xodus app, available in F-Droid shows md5 and sha2x checksums and signature info for installed apk’s.
No need to apologize. I did some more digging. I found this old Guardian project app still works. Checkey: info on local apps - Guardian Project
Use that app to select the installed f-droid app. It says it is signed by Cairan, the f-droid founder. Now if you use the menu dialogue to select signing key it loads the signing key’s SHA1 fingerprint into a seach box which is good because that fingerprint is what we need to verify it really is signed by Cairan’s cert because that info is also here Release Channels and Signing Keys | F-Droid - Free and Open Source Android App Repository
So checkey reports Ciaran’s signing key SHA1 fingerprint is:
05F2E65928088981B317FC9A6DBFE04B0FA13B4E
f-droid site says it should be:
05:F2:E6:59:28:08:89:81:B3:17:FC:9A:6D:BF:E0:4B:0F:A1:3B:4E
So they are the same which I guess is good. Unfortunately what does not look so good is the hosted apps are not also signed by that key, in fact although checkey reports they were all signed by f-droid I have yet to find two that were even signed by the same signing key.
Here are a few I checked together with their signing key fingerprints
Simple Mobile Tools - Notes
3497FCD30C3AF1EFCCF9A7C00442096B89F5CA5B
Simple Mobile Tools - File Manager Pro
E9F4B92CE262D87C0E1CD77DC8F6AF5A4022AC7F
Simple Mobile Tools - Gallery Pro
3A49F04CF77C7AEBA9A403DDF94146C2DAE4BEED
Just Player
C2A55E62E6F9FC10BD16F16178EA7B1DCDC17F82
So how many signing keys are being used to sign the f-droid builds and how do we establish if they are even valid f-droid keys? Anyone can make a signing key called f-droid. Are these keys subkeys of Ciaran’s cert?
Every single app in F-Droid gets its own unique signing key as far as I am aware.
F-Droid has signatures to verify repositories, and repositories have signatures that verify their apps.
F-Droid thereby does a very good job at ensuring you install what was compiled by F-Droid and wasn’t tampered with by a third party along the way.
As long as you verify F-Droid itself and thoroughly verify any additional repositories you might add there is in theory no issue.
Keys and certificate or signature hashes or fingerprints are being confused here, I believe.
You get to have and hash a public key. You get to have and hash a app package and associated certificate or signature. You don’t get to have or hash the private key used to make the signature or certificate. Not sure if you even get to see hashes of that key. Only GCHQ or NSA and friends have the computer power…supposedly.
Look under Signatures tab for each app. It has advantage of being 1 versus 5 years old, and no network permission or 3rd party site access, or confusion from what apps have been submitted.
Certificate or Signature hashes for different apps can be expected to be different.
For me, all results indicate the signing keys for apps from F-Droid are all the same, and from Guardian are all the same.
@SkewedZeppelin From DivestOS repo there some "Unknown"s listed. GmapsWV, Mull, as examples. System or default apps look better.
@ justsomeguy; No, they are the cert fingerprints. If you look under the signature tab in the ApplicationsInfo app you mentioned for f-droid you will see the following:
The fingerprints are hashes of the actual certificate you can calculate the f-droid cert fingerprint yourself using this tool. SAML X.509 Certificate Fingerprint - Online SHA1 Decoder | SAMLTool.com You can see it doesn’t take the NSA to calculate a hash of a cert. It takes a split second and it calculates that same SHA1 fingerprint.
Aside from that I can’t imagine what you are doing if you are looking at the info in that app and believing the f-droid hosted apps are all signed with the same certificate. They obviously are not.
I was referring to getting the private key from available public information.
Again, I don’t think we’re using the same language, so I’ll just add a couple comments on the procedure “To confirm that the 1DBA2E89 admin@f-droid.org PGP key is trusted by the index JAR signing key that is built into the F-Droid client app, run these commands:” on the Release Channels and Signing Keys page.
openjdk-8-jdk-headless is getting old. Substituting openjdk-11-jdk-headless (bullseye/testing) worked.
Gitlab doesn’t play well with Tor, so torify git clone https://gitlab.com/fdroid/fdroidclient gave 403 error (not entirely f-droid’s fault, aside from using someone else’s blocky Gitlab). git clone... worked.
All 3 instances of keytool -import ... gave warnings: “The input uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.” This is a long-known (2019 at least) issue: F-Droid apk signing key (SHA1) is vulnerable to SHAttered attack So yes, some improvements are needed. I note some signatures reported by Apps Package Info app are SHA256withRSA IIUC.
The step wget -O - https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der failed with “Cannot write to ‘-’ (Broken pipe).” Saving it as index.html, then cat index.html | openssl… worked.
“was referring to getting the private key from available public information. Again, I don’t think we’re using the same language,”
We are using the same language but you seem not to understand the fingerprint has nothing to do with the private key. The fingerprint is simply a hash of the cert.
@raven9 You are referring to the checksum. Checksums are a way to ensure a file was not corrupted upon download and that your local file is the same as the online file. Changing any part of the code of the file changes the hash, so of course there is going to be a different hash for each program. PGP certificates are different and different apps can share the same key if they were signed with the same key. F-Droid claims to have all apps signed with their key, but they did not claim that all apps had the same hash, as that would require all apps to be exactly the same.
EDIT: Forgot to say how to verify PGP. In order to do that, you have to download F-Droid’s key here and then use that to verify each apk file in OpenKeyChain.
UPDATE: I just tried to verify both with OpenKeyChain and with Kleopatra on my PC and couldn’t do so. The release channels and signing page does not appear to provide an actual key to use, as copying and pasting the key doesn’t work (BER error).
That link goes to the “PGP Signature” for F-Droid apk, not to F-Droid’s public key. You have to retrieve the public key from somewhere like ubuntu’s key server, or a post somewhere if you can find one.
Agree. Like it or not : the human factor will remain the weakest link, ever. In whose ear will you whisper the master password of your key vault once you’re on your death bed?
Ever believed the world and who are on it is a trustworthy place? Wake up and make the best of it —and of encryption as well.
gpg: Signature made Wed 29 Mar 2023 03:55:29 AM MDT
gpg: using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: Can't check signature: No public key
How am I supposed to get this public key? There isn’t an obvious place anywhere on the website to find it. It’d be nice if there were some checksums or something I could verify with instead, since that would make things a million times easier.
You might be interested in the following thread, it was my efforts to get to the bottom of this a few years ago. You’ll see I got quite irritated at what I saw as disingenuous comments from certain members of this forum who appeared to be more concerned with deflecting than advocating for the kind of transparent security features you are asking about.
: the human factor will remain the weakest link, ever. In whose ear will you whisper the master password of your key vault once you’re on your death bed?