No need to apologize. I did some more digging. I found this old Guardian project app still works. https://guardianproject.info/apps/info.guardianproject.checkey/
Use that app to select the installed f-droid app. It says it is signed by Cairan, the f-droid founder. Now if you use the menu dialogue to select signing key it loads the signing key’s SHA1 fingerprint into a seach box which is good because that fingerprint is what we need to verify it really is signed by Cairan’s cert because that info is also here https://f-droid.org/docs/Release_Channels_and_Signing_Keys/?title=Release_Channels_and_Signing_Keys
So checkey reports Ciaran’s signing key SHA1 fingerprint is:
f-droid site says it should be:
So they are the same which I guess is good. Unfortunately what does not look so good is the hosted apps are not also signed by that key, in fact although checkey reports they were all signed by f-droid I have yet to find two that were even signed by the same signing key.
Here are a few I checked together with their signing key fingerprints
Simple Mobile Tools - Notes
Simple Mobile Tools - File Manager Pro
Simple Mobile Tools - Gallery Pro
So how many signing keys are being used to sign the f-droid builds and how do we establish if they are even valid f-droid keys? Anyone can make a signing key called f-droid. Are these keys subkeys of Ciaran’s cert?