md5 signatures could be forged, sha512sums imho not yet, but checking those crc checksums is straight forward, all one needs is the checksum

  • md5sum for org.linphone_4125.apk should be 3efee7b3b836a72abf327edc55daa4ba
  • sha512sum for org.linphone_4125.apk should be 3f99cfec851f6105d549c2914b7a823467053d11a67cb6d98244202b850d13413fb1cbc52dfacd5d1260cc77409f242d4b0ed0c94aed0fc38cebc4803fdd144f

similar to gpg one downloads the binary and the checksum file into the same directory and goes like:

md5sum -c org.linphone_4125.apk.md5sum.txt
org.linphone_4125.apk: OK

sha512sum -c org.linphone_4125.apk.sha512sum.txt
org.linphone_4125.apk: OK

OK is always GOOD

witht pgp things are a little more complex.

pgp itself is working just fine/doing it’s job (public private key encryption, anything that is encrypted with public key can only be decrypted with private key(file)).

the handling problem sometimes is: where to get the correct/proper public key for this or that package from?

in theory this job should be done by keyservers – but what keyserver did the author upload one’s public key to? what keyserver to use?

probably best practice for authors: simply link to/publish/post one’s public key next to the download (it could be on a separate webserver).

in the case of f-droid the keyserver to use is: https://keyserver.ubuntu.com (for a different software one has to search again for a keyserver with the proper key… so best practice would be simply to publish one’s public key straight next to the download to verify)

example: one wants to verify the integrity of the LinPhone Voice Over IP App: https://f-droid.org/en/packages/org.linphone/

# tested with
hostnamectl 
   Static hostname: DebianLaptop
         Icon name: computer-laptop
  Operating System: Debian GNU/Linux 9 (stretch)
            Kernel: Linux 4.9.0-11-amd64
      Architecture: x86-64

gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# download the app
wget https://f-droid.org/repo/org.linphone_4125.apk
# download the signature
wget https://f-droid.org/repo/org.linphone_4125.apk.asc

# what one would do is "verify"
gpg --verify org.linphone_4125.apk.asc
gpg: assuming signed data in 'org.linphone_4125.apk'
gpg: Signature made Mon 10 Jun 2019 11:30:25 AM CEST
gpg:                using RSA key 0x7A029E54DD5DCE7A
gpg: Can't check signature: No public key

# so there is no public key
# but at least one got a fingerprint what public would be needed
# the hunt for the public key 0x7A029E54DD5DCE7A has begun

# ALWAYS USE THE LONG ID! NOT SHORT ID!
# SHORT ID CAN NOT IDENTIFY KEY PROPERLY!
# (allows fake public key with short id)

# search keyserver ubuntu for key
gpg --keyserver https://keyserver.ubuntu.com/ --search-keys 0x7A029E54DD5DCE7A
gpg: data source: https://162.213.33.8:443
(1)	F-Droid <admin@f-droid.org>
	  4096 bit RSA key 0x41E7044E1DBA2E89, created: 2014-04-25
Keys 1-1 of 1 for "0x7A029E54DD5DCE7A".  Enter number(s), N)ext, or Q)uit > 

# get the key
gpg --keyserver https://keyserver.ubuntu.com/ --recv-key 0x7A029E54DD5DCE7A
gpg: key 0x41E7044E1DBA2E89: 2 duplicate signatures removed
gpg: key 0x41E7044E1DBA2E89: 40 signatures not checked due to missing keys
gpg: key 0x41E7044E1DBA2E89: public key "F-Droid <admin@f-droid.org>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-02-01
gpg: Total number processed: 1
gpg:               imported: 1

# now one has the public key in local store
# verify again
gpg --verify org.linphone_4125.apk.asc 
gpg: assuming signed data in 'org.linphone_4125.apk'
gpg: Signature made Mon 10 Jun 2019 11:30:25 AM CEST
gpg:                using RSA key 0x7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

congratulations! 🙂

one did it! 🙂

admin