| 10 Sep 2021 |
|  chipox joined the room. | 09:05:44 |
|  gry left the room. | 09:41:42 |
| chipox left the room. | 10:26:23 |
| chipox joined the room. | 10:28:21 |
|  collector joined the room. | 10:30:53 |
| collector left the room. | 10:31:08 |
|  NoGuest17 left the room. | 10:50:05 |
|  didymos joined the room. | 12:10:51 |
| didymos | I'm having trouble with using Openkeychain on my phone to verify fdroid before I click download. What exactly do I want to import? I have tried the public key given above the certificate, in the docs section of the site. Doesn't import a key. What should I do? Appreciate any help, thanks. | 12:16:25 |
| didymos | Tried the public key under the download button, doesn't work. Hmm. | 12:19:19 |
| didymos | I tried both reading it from clipboard and copying it into a .txt file and importing. No keys found | 12:22:02 |
| didymos | * I'm having trouble with using Openkeychain on my phone to verify fdroid before I click download. | 12:22:43 |
| didymos | * Tried the public key under the download button, doesn't work. | 12:24:21 |
| didymos | * I'm having trouble with using OpenKeychain on my phone to verify fdroid before I click download. | 12:24:47 |
 tepozoa | didymos: it's buried deep in a documentation file, but you need to get the public key 37D2C98789D8311948394E3E41E7044E1DBA2E89 from a keyserver; the listed command is: gpg --keyserver keyserver.ubuntu.com --recv-key 37D2C98789D8311948394E3E41E7044E1DBA2E89 | 12:37:50 |
| tepozoa | once you have that in your keyring, you can do the OpenKeychain equivalent of: gpg --verify F-Droid.apk.asc F-Droid.apk | 12:38:25 |
| tepozoa | docs: https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/ | 12:38:45 |
| didymos | Any way I can do it from my phone using OpenKeychain? Or will I have to hop on my laptop (running Ubuntu) to fetch the key with the command you gave, and confirm on my laptop with gpa? | 12:55:48 |
| didymos | * Any way I can do it from my phone using OpenKeychain? Or will I have to hop on my laptop (running Ubuntu) to fetch the key with the command you gave, and confirm with gpa? | 12:56:10 |
| tepozoa | alas, I understand what you're asking but I don't actually use OpenKeychain (I tried it once many moons ago, no hate) - the technical phrase in this scenario is called a "detached signature" if that helps narrow in on HowTo (let's google) | 13:01:05 |
| tepozoa | https://github.com/open-keychain/open-keychain/issues/1380 first google hit | 13:01:41 |
| tepozoa | (well, searx :) ) | 13:01:51 |
| tepozoa | didymos: yeah a quick read of that ^ issue shows that OpenKeychain doesn't support detached signature verifications | 13:02:48 |
| tepozoa | I wonder, does Termux have a commandline gpg? that might be something you could do on-device? | 13:03:29 |
| didymos | In reply to @_oftc_tepozoa:matrix.org
didymos: yeah a quick read of that ^ issue shows that OpenKeychain doesn't support detached signature verifications Thanks for the help! appreciate it! :) | 13:05:16 |
| tepozoa | outside the box thinking: you could use a SSH client on your mobile to SSH into a cloud server you own (whatever), run the wget/curl/gpg work over that, then download that verified APK from your server to your mobile. That should satisfy your chain of trust model | 13:07:40 |
 εΉΈη« (πππΎπ/πππΎπ) | In reply to @_oftc_tepozoa:matrix.org
I wonder, does Termux have a commandline gpg? that might be something you could do on-device? yes. | 13:30:30 |
|  ConfusiBailari left the room. | 13:47:10 |
| didymos | Im on my laptop now. I've fetched the keys with the command tepozoa gave. But as for verifying the signature, I copird the PGP signature listed under the download button on f-droid.org. I then went into gpa GUI and got bad signature. I tried copy and pasting the signature into a .txt file and ran the command: gpg --verify and get verify failed no such file.
What am I doing wrong here? | 14:33:20 |
| didymos | * Im on my laptop now. I've fetched the keys with the command tepozoa gave. But as for verifying the signature, I copied the PGP signature listed under the download button on f-droid.org. I then went into gpa GUI and got bad signature. I tried copy and pasting the signature into a .txt file and ran the command: gpg --verify <file name> and get verify failed no such file.
What am I doing wrong here? | 14:33:39 |
