- md5sum for org.linphone_4125.apk should be 3efee7b3b836a72abf327edc55daa4ba
- sha512sum for org.linphone_4125.apk should be 3f99cfec851f6105d549c2914b7a823467053d11a67cb6d98244202b850d13413fb1cbc52dfacd5d1260cc77409f242d4b0ed0c94aed0fc38cebc4803fdd144f
similar to gpg one downloads the binary and the checksum file into the same directory and goes like:
md5sum -c org.linphone_4125.apk.md5sum.txt org.linphone_4125.apk: OK sha512sum -c org.linphone_4125.apk.sha512sum.txt org.linphone_4125.apk: OK
OK is always GOOD
witht pgp things are a little more complex.
pgp itself is working just fine/doing it’s job (public private key encryption, anything that is encrypted with public key can only be decrypted with private key(file)).
the handling problem sometimes is: where to get the correct/proper public key for this or that package from?
in theory this job should be done by keyservers – but what keyserver did the author upload one’s public key to? what keyserver to use?
probably best practice for authors: simply link to/publish/post one’s public key next to the download (it could be on a separate webserver).
in the case of f-droid the keyserver to use is: https://keyserver.ubuntu.com (for a different software one has to search again for a keyserver with the proper key… so best practice would be simply to publish one’s public key straight next to the download to verify)
example: one wants to verify the integrity of the LinPhone Voice Over IP App: https://f-droid.org/en/packages/org.linphone/
# tested with hostnamectl Static hostname: DebianLaptop Icon name: computer-laptop Operating System: Debian GNU/Linux 9 (stretch) Kernel: Linux 4.9.0-11-amd64 Architecture: x86-64 gpg --version gpg (GnuPG) 2.1.18 libgcrypt 1.7.6-beta Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. # download the app wget https://f-droid.org/repo/org.linphone_4125.apk # download the signature wget https://f-droid.org/repo/org.linphone_4125.apk.asc # what one would do is "verify" gpg --verify org.linphone_4125.apk.asc gpg: assuming signed data in 'org.linphone_4125.apk' gpg: Signature made Mon 10 Jun 2019 11:30:25 AM CEST gpg: using RSA key 0x7A029E54DD5DCE7A gpg: Can't check signature: No public key # so there is no public key # but at least one got a fingerprint what public would be needed # the hunt for the public key 0x7A029E54DD5DCE7A has begun # ALWAYS USE THE LONG ID! NOT SHORT ID! # SHORT ID CAN NOT IDENTIFY KEY PROPERLY! # (allows fake public key with short id) # search keyserver ubuntu for key gpg --keyserver https://keyserver.ubuntu.com/ --search-keys 0x7A029E54DD5DCE7A gpg: data source: https://22.214.171.124:443 (1) F-Droid <email@example.com> 4096 bit RSA key 0x41E7044E1DBA2E89, created: 2014-04-25 Keys 1-1 of 1 for "0x7A029E54DD5DCE7A". Enter number(s), N)ext, or Q)uit > # get the key gpg --keyserver https://keyserver.ubuntu.com/ --recv-key 0x7A029E54DD5DCE7A gpg: key 0x41E7044E1DBA2E89: 2 duplicate signatures removed gpg: key 0x41E7044E1DBA2E89: 40 signatures not checked due to missing keys gpg: key 0x41E7044E1DBA2E89: public key "F-Droid <firstname.lastname@example.org>" imported gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2023-02-01 gpg: Total number processed: 1 gpg: imported: 1 # now one has the public key in local store # verify again gpg --verify org.linphone_4125.apk.asc gpg: assuming signed data in 'org.linphone_4125.apk' gpg: Signature made Mon 10 Jun 2019 11:30:25 AM CEST gpg: using RSA key 0x7A029E54DD5DCE7A gpg: Good signature from "F-Droid <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89 Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
one did it! 🙂