F-Droid - Free and Open Source Android App Repository

7240 Members
F-Droid, the free and open source app repository (official room) | https://f-droid.org | https://forum.f-droid.org | https://floss.social/@fdroidorg | #fdroid-space:f-droid.org | For development discussion use #fdroid-dev:f-droid.org | This channel is accesible via IRC, Matrix, Telegram and XMPP | Room history is public | Please don't edit your messages, it is spammy to users on IRC and XMPP309 Servers

Load older messages


SenderMessageTime
10 Sep 2021
@_oftc_chipox:matrix.orgchipox joined the room.09:05:44
@_oftc_gry:matrix.orggry left the room.09:41:42
@_oftc_chipox:matrix.orgchipox left the room.10:26:23
@_oftc_chipox:matrix.orgchipox joined the room.10:28:21
@_oftc_collector:matrix.orgcollector joined the room.10:30:53
@_oftc_collector:matrix.orgcollector left the room.10:31:08
@_oftc_NoGuest17:matrix.orgNoGuest17 left the room.10:50:05
@didymos:matrix.orgdidymos joined the room.12:10:51
@didymos:matrix.orgdidymosI'm having trouble with using Openkeychain on my phone to verify fdroid before I click download. What exactly do I want to import? I have tried the public key given above the certificate, in the docs section of the site. Doesn't import a key. What should I do? Appreciate any help, thanks. 12:16:25
@didymos:matrix.orgdidymosTried the public key under the download button, doesn't work. Hmm. 12:19:19
@didymos:matrix.orgdidymosI tried both reading it from clipboard and copying it into a .txt file and importing. No keys found 12:22:02
@didymos:matrix.orgdidymos* I'm having trouble with using Openkeychain on my phone to verify fdroid before I click download. 12:22:43
@didymos:matrix.orgdidymos* Tried the public key under the download button, doesn't work.12:24:21
@didymos:matrix.orgdidymos* I'm having trouble with using OpenKeychain on my phone to verify fdroid before I click download. 12:24:47
@_oftc_tepozoa:matrix.orgtepozoa didymos: it's buried deep in a documentation file, but you need to get the public key 37D2C98789D8311948394E3E41E7044E1DBA2E89 from a keyserver; the listed command is: gpg --keyserver keyserver.ubuntu.com --recv-key 37D2C98789D8311948394E3E41E7044E1DBA2E89 12:37:50
@_oftc_tepozoa:matrix.orgtepozoaonce you have that in your keyring, you can do the OpenKeychain equivalent of: gpg --verify F-Droid.apk.asc F-Droid.apk12:38:25
@_oftc_tepozoa:matrix.orgtepozoadocs: https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/12:38:45
@didymos:matrix.orgdidymosAny way I can do it from my phone using OpenKeychain? Or will I have to hop on my laptop (running Ubuntu) to fetch the key with the command you gave, and confirm on my laptop with gpa? 12:55:48
@didymos:matrix.orgdidymos* Any way I can do it from my phone using OpenKeychain? Or will I have to hop on my laptop (running Ubuntu) to fetch the key with the command you gave, and confirm with gpa? 12:56:10
@_oftc_tepozoa:matrix.orgtepozoa alas, I understand what you're asking but I don't actually use OpenKeychain (I tried it once many moons ago, no hate) - the technical phrase in this scenario is called a "detached signature" if that helps narrow in on HowTo (let's google) 13:01:05
@_oftc_tepozoa:matrix.orgtepozoahttps://github.com/open-keychain/open-keychain/issues/1380 first google hit13:01:41
@_oftc_tepozoa:matrix.orgtepozoa(well, searx :) )13:01:51
@_oftc_tepozoa:matrix.orgtepozoa didymos: yeah a quick read of that ^ issue shows that OpenKeychain doesn't support detached signature verifications 13:02:48
@_oftc_tepozoa:matrix.orgtepozoaI wonder, does Termux have a commandline gpg? that might be something you could do on-device?13:03:29
@didymos:matrix.orgdidymos
In reply to @_oftc_tepozoa:matrix.org
didymos: yeah a quick read of that ^ issue shows that OpenKeychain doesn't support detached signature verifications
Thanks for the help! appreciate it! :)
13:05:16
@_oftc_tepozoa:matrix.orgtepozoaoutside the box thinking: you could use a SSH client on your mobile to SSH into a cloud server you own (whatever), run the wget/curl/gpg work over that, then download that verified APK from your server to your mobile. That should satisfy your chain of trust model13:07:40
@obfusk:matrix.org幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆)
In reply to @_oftc_tepozoa:matrix.org
I wonder, does Termux have a commandline gpg? that might be something you could do on-device?
yes.
13:30:30
@confusibailari:matrix.orgConfusiBailari left the room.13:47:10
@didymos:matrix.orgdidymos Im on my laptop now. I've fetched the keys with the command tepozoa gave. But as for verifying the signature, I copird the PGP signature listed under the download button on f-droid.org. I then went into gpa GUI and got bad signature. I tried copy and pasting the signature into a .txt file and ran the command: gpg --verify and get verify failed no such file. What am I doing wrong here? 14:33:20
@didymos:matrix.orgdidymos* Im on my laptop now. I've fetched the keys with the command tepozoa gave. But as for verifying the signature, I copied the PGP signature listed under the download button on f-droid.org. I then went into gpa GUI and got bad signature. I tried copy and pasting the signature into a .txt file and ran the command: gpg --verify <file name> and get verify failed no such file. What am I doing wrong here? 14:33:39

Show newer messages


Back to Room ListRoom Version: 6