updated:2020-08: it is not easier than ever to find the correct public key. (thanks god! why so complicated f-droid?)
md5 signatures could be forged, sha512sums imho not yet, but checking those crc checksums is straight forward, all one needs is the checksum
- md5sum for org.linphone_4125.apk should be 3efee7b3b836a72abf327edc55daa4ba
- sha512sum for org.linphone_4125.apk should be 3f99cfec851f6105d549c2914b7a823467053d11a67cb6d98244202b850d13413fb1cbc52dfacd5d1260cc77409f242d4b0ed0c94aed0fc38cebc4803fdd144f
similar to gpg one downloads the binary and the checksum file into the same directory and goes like:
md5sum -c org.linphone_4125.apk.md5sum.txt org.linphone_4125.apk: OK sha512sum -c org.linphone_4125.apk.sha512sum.txt org.linphone_4125.apk: OK
OK is always GOOD
witht pgp things are a little more complex.
pgp itself is working just fine/doing it’s job (public private key encryption, anything that is encrypted with public key can only be decrypted with private key(file)).
the handling problem sometimes is: where to get the correct/proper public key for this or that package from?
in theory this job should be done by keyservers – but what keyserver did the author upload one’s public key to? what keyserver to use?
probably best practice for authors: simply link to/publish/post one’s public key next to the download (it could be on a separate webserver).
in the case of f-droid the keyserver to use is: https://keyserver.ubuntu.com (for a different software one has to search again for a keyserver with the proper key… so best practice would be simply to publish one’s public key straight next to the download to verify)
example: one wants to verify the integrity of the LinPhone Voice Over IP App: https://f-droid.org/en/packages/org.linphone/
# tested with hostnamectl Static hostname: DebianLaptop Icon name: computer-laptop Operating System: Debian GNU/Linux 9 (stretch) Kernel: Linux 4.9.0-11-amd64 Architecture: x86-64 gpg --version gpg (GnuPG) 2.1.18 libgcrypt 1.7.6-beta Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. hostnamectl; # then in 2020-08 again tested with Static hostname: giada Operating System: Debian GNU/Linux 10 (buster) Kernel: Linux 4.19.0-8-amd64 Architecture: x86-64 gpg --version gpg (GnuPG) 2.2.12 libgcrypt 1.8.4 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/user/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 # verify F-Droid App # download the app wget https://f-droid.org/F-Droid.apk # download the signature wget https://f-droid.org/F-Droid.apk.asc # F-Droid at least has a tutorial on how to verify this app # but it is one of the most complicated, c'mon! simplify! simplify! simplify! # for whatever reason f-droid does not simply provide it's public key # this will fail # but tell the user to look for key 0x41E7044E1DBA2E89 gpg --verify F-Droid.apk.asc # luckily pgp has learned to automatically search servers for the proper public key gpg --search-keys 0x41E7044E1DBA2E89 # or manually specifying the internet hosted keyserver gpg --keyserver pool.sks-keyservers.net --recv-keys 0x41E7044E1DBA2E89 gpg: data source: http://hkps.pool.sks-keyservers.net:11371 (1) F-Droid <admin@f-droid.org> 4096 bit RSA key 0x41E7044E1DBA2E89, created: 2014-04-25 Keys 1-1 of 1 for "0x41E7044E1DBA2E89". Enter number(s), N)ext, or Q)uit > 1 gpg: key 0x41E7044E1DBA2E89: public key "F-Droid <admin@f-droid.org>" imported gpg: Total number processed: 1 gpg: imported: 1 # it might be "okayish" (better-than-nothing-approach) to trust a public keyserver # it might be better to publish public_key.file next to the file to download # and then directly download public_key.file and import it like gpg --import public_key.file # now verify again gpg --verify F-Droid.apk.asc gpg: assuming signed data in 'F-Droid.apk' gpg: Signature made Wed 29 Apr 2020 08:09:09 AM CEST gpg: using RSA key 0x7A029E54DD5DCE7A gpg: Good signature from "F-Droid <admin ÄTTTT f-droid DOTTT org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89 Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A # 2021-08 gpg --verify F-Droid.apk.asc gpg: assuming signed data in 'F-Droid.apk' gpg: Signature made Fri 16 Apr 2021 11:26:14 AM CEST gpg: using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A gpg: Good signature from "F-Droid <admin ÄTTT f-droid DOOOOT org>" [unknown] gpg: Note: This key has expired! Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89 Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A # btw to generate a pgp.asc verification file is simple (creditz) # if pgp is already setup for the current user gpg -ab Filename # will generate a Filename.asc # important: provide the 1) public key and the 2) Filename.asc for download # looks like the user has downloaded an unaltered app # and can proceed with installation of app # thanks all involved # verify LinPhone App wget https://f-droid.org/repo/org.linphone_4125.apk # download the signature wget https://f-droid.org/repo/org.linphone_4125.apk.asc # what one would do is "verify" gpg --verify org.linphone_4125.apk.asc gpg: assuming signed data in 'org.linphone_4125.apk' gpg: Signature made Mon 10 Jun 2019 11:30:25 AM CEST gpg: using RSA key 0x7A029E54DD5DCE7A gpg: Can't check signature: No public key # so there is no public key # but at least one got a fingerprint what public would be needed # the hunt for the public key 0x7A029E54DD5DCE7A has begun # ALWAYS USE THE LONG ID! NOT SHORT ID! # SHORT ID CAN NOT IDENTIFY KEY PROPERLY! # (allows fake public key with short id) # search keyserver ubuntu for key gpg --keyserver https://keyserver.ubuntu.com/ --search-keys 0x7A029E54DD5DCE7A gpg: data source: https://162.213.33.8:443 (1) F-Droid <admin@f-droid.org> 4096 bit RSA key 0x41E7044E1DBA2E89, created: 2014-04-25 Keys 1-1 of 1 for "0x7A029E54DD5DCE7A". Enter number(s), N)ext, or Q)uit > # get the key gpg --keyserver https://keyserver.ubuntu.com/ --recv-key 0x7A029E54DD5DCE7A gpg: key 0x41E7044E1DBA2E89: 2 duplicate signatures removed gpg: key 0x41E7044E1DBA2E89: 40 signatures not checked due to missing keys gpg: key 0x41E7044E1DBA2E89: public key "F-Droid <admin@f-droid.org>" imported gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2023-02-01 gpg: Total number processed: 1 gpg: imported: 1 # now one has the public key in local store # verify again gpg --verify org.linphone_4125.apk.asc gpg: assuming signed data in 'org.linphone_4125.apk' gpg: Signature made Mon 10 Jun 2019 11:30:25 AM CEST gpg: using RSA key 0x7A029E54DD5DCE7A gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89 Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
congratulations! 🙂
one did it it! 🙂
more gpg stuff
manpage:
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!