10 Sep 2021 |
| chipox joined the room. | 09:05:44 |
| gry left the room. | 09:41:42 |
| chipox left the room. | 10:26:23 |
| chipox joined the room. | 10:28:21 |
| collector joined the room. | 10:30:53 |
| collector left the room. | 10:31:08 |
| NoGuest17 left the room. | 10:50:05 |
| didymos joined the room. | 12:10:51 |
didymos | I'm having trouble with using Openkeychain on my phone to verify fdroid before I click download. What exactly do I want to import? I have tried the public key given above the certificate, in the docs section of the site. Doesn't import a key. What should I do? Appreciate any help, thanks. | 12:16:25 |
didymos | Tried the public key under the download button, doesn't work. Hmm. | 12:19:19 |
didymos | I tried both reading it from clipboard and copying it into a .txt file and importing. No keys found | 12:22:02 |
didymos | * I'm having trouble with using Openkeychain on my phone to verify fdroid before I click download. | 12:22:43 |
didymos | * Tried the public key under the download button, doesn't work. | 12:24:21 |
didymos | * I'm having trouble with using OpenKeychain on my phone to verify fdroid before I click download. | 12:24:47 |
tepozoa | didymos: it's buried deep in a documentation file, but you need to get the public key 37D2C98789D8311948394E3E41E7044E1DBA2E89 from a keyserver; the listed command is: gpg --keyserver keyserver.ubuntu.com --recv-key 37D2C98789D8311948394E3E41E7044E1DBA2E89 | 12:37:50 |
tepozoa | once you have that in your keyring, you can do the OpenKeychain equivalent of: gpg --verify F-Droid.apk.asc F-Droid.apk | 12:38:25 |
tepozoa | docs: https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/ | 12:38:45 |
didymos | Any way I can do it from my phone using OpenKeychain? Or will I have to hop on my laptop (running Ubuntu) to fetch the key with the command you gave, and confirm on my laptop with gpa? | 12:55:48 |
didymos | * Any way I can do it from my phone using OpenKeychain? Or will I have to hop on my laptop (running Ubuntu) to fetch the key with the command you gave, and confirm with gpa? | 12:56:10 |
tepozoa | alas, I understand what you're asking but I don't actually use OpenKeychain (I tried it once many moons ago, no hate) - the technical phrase in this scenario is called a "detached signature" if that helps narrow in on HowTo (let's google) | 13:01:05 |
tepozoa | https://github.com/open-keychain/open-keychain/issues/1380 first google hit | 13:01:41 |
tepozoa | (well, searx :) ) | 13:01:51 |
tepozoa | didymos: yeah a quick read of that ^ issue shows that OpenKeychain doesn't support detached signature verifications | 13:02:48 |
tepozoa | I wonder, does Termux have a commandline gpg? that might be something you could do on-device? | 13:03:29 |
didymos | In reply to @_oftc_tepozoa:matrix.org didymos: yeah a quick read of that ^ issue shows that OpenKeychain doesn't support detached signature verifications Thanks for the help! appreciate it! :) | 13:05:16 |
tepozoa | outside the box thinking: you could use a SSH client on your mobile to SSH into a cloud server you own (whatever), run the wget/curl/gpg work over that, then download that verified APK from your server to your mobile. That should satisfy your chain of trust model | 13:07:40 |
εΉΈη« (πππΎπ/πππΎπ) | In reply to @_oftc_tepozoa:matrix.org I wonder, does Termux have a commandline gpg? that might be something you could do on-device? yes. | 13:30:30 |
| ConfusiBailari left the room. | 13:47:10 |
didymos | Im on my laptop now. I've fetched the keys with the command tepozoa gave. But as for verifying the signature, I copird the PGP signature listed under the download button on f-droid.org. I then went into gpa GUI and got bad signature. I tried copy and pasting the signature into a .txt file and ran the command: gpg --verify and get verify failed no such file.
What am I doing wrong here? | 14:33:20 |
didymos | * Im on my laptop now. I've fetched the keys with the command tepozoa gave. But as for verifying the signature, I copied the PGP signature listed under the download button on f-droid.org. I then went into gpa GUI and got bad signature. I tried copy and pasting the signature into a .txt file and ran the command: gpg --verify <file name> and get verify failed no such file.
What am I doing wrong here? | 14:33:39 |