Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature is invalid to OpenKeychain, but is valid to Linux desktop GnuPG #2907

Open
o-alquimista opened this issue Mar 28, 2024 · 1 comment
Open

Signature is invalid to OpenKeychain, but is valid to Linux desktop GnuPG #2907

o-alquimista opened this issue Mar 28, 2024 · 1 comment

Comments

@o-alquimista
Copy link

o-alquimista commented Mar 28, 2024
edited

I'm attempting to verify the signature provided by F-Droid for its APK package, but OpenKeychain does not recognize a valid signature in the .asc file, while the Linux desktop GnuPG does.

Links:

Here's the signature data:

-----BEGIN PGP SIGNATURE-----

iQGzBAABCgAdFiEEgCqXmQFhEjRuH+/0egKeVN1dznoFAmS7wgwACgkQegKeVN1d
znoDVgv/dI2B+lTnfgNXT51lK8Z2yCjbW584tfVh6Y4joj+JC+YIxTfcXHqjCmvo
BLVAL/dQViPPsKp2ms4SWuRFOO6h1gcy407a4OYMBEMyQ/WmPDVYk9qJ8th+JSyF
Q27nyyOAgTzimp49Tyxq3ccHSqGl3zVM188p47Wb1fDXtOzMeuAMS4C0/r026T5u
0WuGZeTb1keIjpG2h+mgV5P4h71+41orQfS1i5aImVpo4CJj8AVR6w+MQ8XP3r7u
nGS3PFa6sbucfT6N59zzBVc1ebUwE+OwHy8NLTBLfhPGBSA27RQNNyRuTqPfgRx7
h+31L0AqTRNVO+bHftaeifi50LqE/zqVipLn0H6KA41McZnsGGhDABu7mdbG8IKN
f2ArUYb6RmoB5tVhapC0GtBuhZF8tjrIE1k6pvcVrUJ0hZw/BTqiGyBfLKvZfHUN
Jhc1iJQjl7Ehzlu8zJ8E4W/xZJ7enMLr6LDf0/3qt/wv1zhfHJvdgLbESizUiJMA
MRxCNOOF
=72aX
-----END PGP SIGNATURE-----

Steps to Reproduce (for bugs)

  1. Download the APK package, then its signature with the .asc file extension. Note that, at least on Android, the file extension will be renamed to .key, with no changes to its content.
  2. Use "Open With" on the signature (.asc file) and choose to "Decrypt with OpenKeychain".

Screen recording on Android:

screen-20240328-143755.mp4

Terminal output on Linux desktop:

$ gpg --verify F-Droid.apk.asc
gpg: assuming signed data in 'F-Droid.apk'
gpg: Signature made Sat 22 Jul 2023 08:48:28 AM -03
gpg:                using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

Your Environment

  • Android Version: 13
  • Device Model: Motorola Moto G32 (arm64)
  • OpenKeychain Version: 6.0.4 (60400)
  • From Google Play or F-Droid?: Google Play
@rafaelazvdo
Copy link

Yes, the application is not capable of pgp signature verification of unencrypted files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@o-alquimista @rafaelazvdo