updated:2020-08: it is not easier than ever to find the correct public key. (thanks god! why so complicated f-droid?)

md5 signatures could be forged, sha512sums imho not yet, but checking those crc checksums is straight forward, all one needs is the checksum

  • md5sum for org.linphone_4125.apk should be 3efee7b3b836a72abf327edc55daa4ba
  • sha512sum for org.linphone_4125.apk should be 3f99cfec851f6105d549c2914b7a823467053d11a67cb6d98244202b850d13413fb1cbc52dfacd5d1260cc77409f242d4b0ed0c94aed0fc38cebc4803fdd144f

similar to gpg one downloads the binary and the checksum file into the same directory and goes like:

md5sum -c org.linphone_4125.apk.md5sum.txt
org.linphone_4125.apk: OK

sha512sum -c org.linphone_4125.apk.sha512sum.txt
org.linphone_4125.apk: OK

OK is always GOOD

witht pgp things are a little more complex.

pgp itself is working just fine/doing it’s job (public private key encryption, anything that is encrypted with public key can only be decrypted with private key(file)).

the handling problem sometimes is: where to get the correct/proper public key for this or that package from?

in theory this job should be done by keyservers – but what keyserver did the author upload one’s public key to? what keyserver to use?

probably best practice for authors: simply link to/publish/post one’s public key next to the download (it could be on a separate webserver).

in the case of f-droid the keyserver to use is: https://keyserver.ubuntu.com (for a different software one has to search again for a keyserver with the proper key… so best practice would be simply to publish one’s public key straight next to the download to verify)

example: one wants to verify the integrity of the LinPhone Voice Over IP App: https://f-droid.org/en/packages/org.linphone/

# tested with
hostnamectl 
   Static hostname: DebianLaptop
         Icon name: computer-laptop
  Operating System: Debian GNU/Linux 9 (stretch)
            Kernel: Linux 4.9.0-11-amd64
      Architecture: x86-64

gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

hostnamectl; # then in 2020-08 again tested with
   Static hostname: giada
  Operating System: Debian GNU/Linux 10 (buster)
            Kernel: Linux 4.19.0-8-amd64
      Architecture: x86-64

gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

# verify F-Droid App
# download the app
wget https://f-droid.org/F-Droid.apk
# download the signature
wget https://f-droid.org/F-Droid.apk.asc

# F-Droid at least has a tutorial on how to verify this app
# but it is one of the most complicated, c'mon! simplify! simplify! simplify!
# for whatever reason f-droid does not simply provide it's public key
# this will fail
# but tell the user to look for key 0x41E7044E1DBA2E89
gpg --verify F-Droid.apk.asc

# luckily pgp has learned to automatically search servers for the proper public key
gpg --search-keys 0x41E7044E1DBA2E89
# or manually specifying the internet hosted keyserver
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x41E7044E1DBA2E89 
gpg: data source: http://hkps.pool.sks-keyservers.net:11371
(1)	F-Droid <admin@f-droid.org>
	  4096 bit RSA key 0x41E7044E1DBA2E89, created: 2014-04-25
Keys 1-1 of 1 for "0x41E7044E1DBA2E89".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 0x41E7044E1DBA2E89: public key "F-Droid <admin@f-droid.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

# it might be "okayish" (better-than-nothing-approach) to trust a public keyserver
# it might be better to publish public_key.file next to the file to download
# and then directly download public_key.file and import it like
gpg --import public_key.file

# now verify again
gpg --verify F-Droid.apk.asc 
gpg: assuming signed data in 'F-Droid.apk'
gpg: Signature made Wed 29 Apr 2020 08:09:09 AM CEST
gpg:                using RSA key 0x7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin ÄTTTT f-droid DOTTT org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

# 2021-08
gpg --verify F-Droid.apk.asc
gpg: assuming signed data in 'F-Droid.apk'
gpg: Signature made Fri 16 Apr 2021 11:26:14 AM CEST
gpg: using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin ÄTTT f-droid DOOOOT org>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A

# btw to generate a pgp.asc verification file is simple (creditz)
# if pgp is already setup for the current user
gpg -ab Filename
# will generate a Filename.asc
# important: provide the 1) public key and the 2) Filename.asc for download
# looks like the user has downloaded an unaltered app
# and can proceed with installation of app
# thanks all involved

# verify LinPhone App
wget https://f-droid.org/repo/org.linphone_4125.apk
# download the signature
wget https://f-droid.org/repo/org.linphone_4125.apk.asc

# what one would do is "verify"
gpg --verify org.linphone_4125.apk.asc
gpg: assuming signed data in 'org.linphone_4125.apk'
gpg: Signature made Mon 10 Jun 2019 11:30:25 AM CEST
gpg:                using RSA key 0x7A029E54DD5DCE7A
gpg: Can't check signature: No public key

# so there is no public key
# but at least one got a fingerprint what public would be needed
# the hunt for the public key 0x7A029E54DD5DCE7A has begun

# ALWAYS USE THE LONG ID! NOT SHORT ID!
# SHORT ID CAN NOT IDENTIFY KEY PROPERLY!
# (allows fake public key with short id)

# search keyserver ubuntu for key
gpg --keyserver https://keyserver.ubuntu.com/ --search-keys 0x7A029E54DD5DCE7A
gpg: data source: https://162.213.33.8:443
(1)	F-Droid <admin@f-droid.org>
	  4096 bit RSA key 0x41E7044E1DBA2E89, created: 2014-04-25
Keys 1-1 of 1 for "0x7A029E54DD5DCE7A".  Enter number(s), N)ext, or Q)uit > 

# get the key
gpg --keyserver https://keyserver.ubuntu.com/ --recv-key 0x7A029E54DD5DCE7A
gpg: key 0x41E7044E1DBA2E89: 2 duplicate signatures removed
gpg: key 0x41E7044E1DBA2E89: 40 signatures not checked due to missing keys
gpg: key 0x41E7044E1DBA2E89: public key "F-Droid <admin@f-droid.org>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-02-01
gpg: Total number processed: 1
gpg:               imported: 1

# now one has the public key in local store
# verify again
gpg --verify org.linphone_4125.apk.asc 
gpg: assuming signed data in 'org.linphone_4125.apk'
gpg: Signature made Mon 10 Jun 2019 11:30:25 AM CEST
gpg:                using RSA key 0x7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

congratulations! 🙂

one did it it! 🙂

more gpg stuff

Getting started with PGP

manpage:

gpg.man.txt

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin