Where is the PGP Signature Verification App?

Which app store(s) do you feel has better security than F-Droid?

This not too old issue may show the level of concern you should expect from F-Droid developers, particularly given the way you are posing your questions and complaints:

Maybe @hans would at least give you credit for being concerned or interested…

This also not too old post should point you to some useful reading materials.

FYI, ClassyShark3xodus app, available in F-Droid shows md5 and sha2x checksums and signature info for installed apk’s.

IANAD, but the warnings look to be common, unimportant, with available packaging solution:

https://github.com/nextcloud/android/issues/1569#issuecomment-354725484 , https://github.com/DroidKaigi/conference-app-2019/issues/268 , https://github.com/DroidKaigi/conference-app-2019/pull/264#issuecomment-452359301 , https://github.com/DroidKaigi/conference-app-2019/pull/641

Yes, but…

I had no luck with F-Droid.apk, unfortunately, and I see your screenshot was for something else.

  • The admin at f-droid dot org public key was saved in OpenKeyChain, after adding the ubuntu key server.
  • F-Droid.apk was downloaded.
  • Decrypt/Verify was opened.
  • F-Droid.apk was selected.

Result:

X Encountered an error reading input data
Processing input data
\ Attempting to process OpenPGP data
\ Encountered an error reading input data!

  • Downloaded F-Droid.apk again. Same result.

I had no luck with F-Droid.apk

Huh.
That is actually disappointing.
@raven9 you were correct in that one regard and I apologize.

1 Like

No need to apologize. I did some more digging. I found this old Guardian project app still works. https://guardianproject.info/apps/info.guardianproject.checkey/
Use that app to select the installed f-droid app. It says it is signed by Cairan, the f-droid founder. Now if you use the menu dialogue to select signing key it loads the signing key’s SHA1 fingerprint into a seach box which is good because that fingerprint is what we need to verify it really is signed by Cairan’s cert because that info is also here https://f-droid.org/docs/Release_Channels_and_Signing_Keys/?title=Release_Channels_and_Signing_Keys

So checkey reports Ciaran’s signing key SHA1 fingerprint is:
05F2E65928088981B317FC9A6DBFE04B0FA13B4E

f-droid site says it should be:
05:F2:E6:59:28:08:89:81:B3:17:FC:9A:6D:BF:E0:4B:0F:A1:3B:4E

So they are the same which I guess is good. Unfortunately what does not look so good is the hosted apps are not also signed by that key, in fact although checkey reports they were all signed by f-droid I have yet to find two that were even signed by the same signing key.

Here are a few I checked together with their signing key fingerprints

Simple Mobile Tools - Notes
3497FCD30C3AF1EFCCF9A7C00442096B89F5CA5B

Simple Mobile Tools - File Manager Pro
E9F4B92CE262D87C0E1CD77DC8F6AF5A4022AC7F

Simple Mobile Tools - Gallery Pro
3A49F04CF77C7AEBA9A403DDF94146C2DAE4BEED

OpenKeyChain
15C13AAB38E8D48BC759BBFF7A3A3A3E425AB6AA

Just Player
C2A55E62E6F9FC10BD16F16178EA7B1DCDC17F82

So how many signing keys are being used to sign the f-droid builds and how do we establish if they are even valid f-droid keys? Anyone can make a signing key called f-droid. Are these keys subkeys of Ciaran’s cert?

1 Like

Every single app in F-Droid gets its own unique signing key as far as I am aware.
F-Droid has signatures to verify repositories, and repositories have signatures that verify their apps.

F-Droid thereby does a very good job at ensuring you install what was compiled by F-Droid and wasn’t tampered with by a third party along the way.

As long as you verify F-Droid itself and thoroughly verify any additional repositories you might add there is in theory no issue.

1 Like

Keys and certificate or signature hashes or fingerprints are being confused here, I believe.

You get to have and hash a public key. You get to have and hash a app package and associated certificate or signature. You don’t get to have or hash the private key used to make the signature or certificate. Not sure if you even get to see hashes of that key. Only GCHQ or NSA and friends have the computer power…supposedly.

For even more fun info’, try apps_Packages Info app: https://f-droid.org/en/packages/com.oF2pks.applicationsinfo/

Look under Signatures tab for each app. It has advantage of being 1 versus 5 years old, and no network permission or 3rd party site access, or confusion from what apps have been submitted.

Certificate or Signature hashes for different apps can be expected to be different.

For me, all results indicate the signing keys for apps from F-Droid are all the same, and from Guardian are all the same.

@SkewedZeppelin From DivestOS repo there some "Unknown"s listed. GmapsWV, Mull, as examples. System or default apps look better.

@ justsomeguy; No, they are the cert fingerprints. If you look under the signature tab in the ApplicationsInfo app you mentioned for f-droid you will see the following:

CN=Ciaran Gultnieks,OU=Unknown,O=Unknown,L=Wetherby,ST=Unknown,C=UK

Certificate fingerprints:
md5: 17c55c628056e193e95644e989792786
sha1: 05f2e65928088981b317fc9a6dbfe04b0fa13b4e
sha256: 43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab

The SHA1 fingerprint matches the one on this page https://f-droid.org/docs/Release_Channels_and_Signing_Keys/?title=Release_Channels_and_Signing_Keys

The fingerprints are hashes of the actual certificate you can calculate the f-droid cert fingerprint yourself using this tool. https://www.samltool.com/fingerprint.php You can see it doesn’t take the NSA to calculate a hash of a cert. It takes a split second and it calculates that same SHA1 fingerprint.

Aside from that I can’t imagine what you are doing if you are looking at the info in that app and believing the f-droid hosted apps are all signed with the same certificate. They obviously are not.

Download ClassyShark and Exodus https://f-droid.org/en/packages/com.oF2pks.classyshark3xodus/
and use it to scan F-Droid.
It would be useful to get F-Droid founder in this thread or at least the forum creator.
@hans @Licaon_Kter

I was referring to getting the private key from available public information.

Again, I don’t think we’re using the same language, so I’ll just add a couple comments on the procedure “To confirm that the 1DBA2E89 admin@f-droid.org PGP key is trusted by the index JAR signing key that is built into the F-Droid client app, run these commands:” on the Release Channels and Signing Keys page.

  • openjdk-8-jdk-headless is getting old. Substituting openjdk-11-jdk-headless (bullseye/testing) worked.
  • Gitlab doesn’t play well with Tor, so
    torify git clone https://gitlab.com/fdroid/fdroidclient gave 403 error (not entirely f-droid’s fault, aside from using someone else’s blocky Gitlab). git clone... worked.
  • All 3 instances of keytool -import ... gave warnings: “The input uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.” This is a long-known (2019 at least) issue: F-Droid apk signing key (SHA1) is vulnerable to SHAttered attack So yes, some improvements are needed. I note some signatures reported by Apps Package Info app are SHA256withRSA IIUC.
  • The step wget -O - https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der failed with “Cannot write to ‘-’ (Broken pipe).” Saving it as index.html, then cat index.html | openssl… worked.
  • Bottom line: 3 “jar verified.”

“was referring to getting the private key from available public information. Again, I don’t think we’re using the same language,”

We are using the same language but you seem not to understand the fingerprint has nothing to do with the private key. The fingerprint is simply a hash of the cert.

@raven9 You are referring to the checksum. Checksums are a way to ensure a file was not corrupted upon download and that your local file is the same as the online file. Changing any part of the code of the file changes the hash, so of course there is going to be a different hash for each program. PGP certificates are different and different apps can share the same key if they were signed with the same key. F-Droid claims to have all apps signed with their key, but they did not claim that all apps had the same hash, as that would require all apps to be exactly the same.
EDIT: Forgot to say how to verify PGP. In order to do that, you have to download F-Droid’s key here and then use that to verify each apk file in OpenKeyChain.
UPDATE: I just tried to verify both with OpenKeyChain and with Kleopatra on my PC and couldn’t do so. The release channels and signing page does not appear to provide an actual key to use, as copying and pasting the key doesn’t work (BER error).

That link goes to the “PGP Signature” for F-Droid apk, not to F-Droid’s public key. You have to retrieve the public key from somewhere like ubuntu’s key server, or a post somewhere if you can find one.

@ziproot No. I am referring to the fingerprint. The problem seems to be that none of you understand the fingerprint is a hash of the cert. I suggest you read this page https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/

There you will see the cert and the fingerprints.

Are you now aware F-Droid app itself does some signature verification, so your original premise is false?

Agree. Like it or not :wink:: the human factor will remain the weakest link, ever. In whose ear will you whisper the master password of your key vault once you’re on your death bed?
Ever believed the world and who are on it is a trustworthy place? Wake up and make the best of it —and of encryption as well.