This is a list of all signing keys used for F-Droid releases.

F-Droid client app for Android

• git repo: https://gitlab.com/fdroid/fdroidclient
  • git tags signed by “Hans-Christoph Steiner <hans@guardianproject.info>” aka “Hans-Christoph Steiner <hans@eds.org>” aka “Hans-Christoph Steiner <hans@at.or.at>” with fingerprint:
    EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
  • or previously signed by “Daniel Martí <mvdan@mvdan.cc>” aka “Daniel Martí <mvdan@fsfe.org>” with fingerprint:
    A9DA 13CD F7A1 4ACD D3DE E530 F4CA FFDB 4348 041C
• official binary releases: https://f-droid.org/packages/org.fdroid.fdroid
  • GPG signing key: “F-Droid <admin@f-droid.org>”
  • Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
  • Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A

  • APK signing key: ``` Owner: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK Issuer: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK Serial number: 4c49cd00 Valid from: Fri Jul 23 13:10:24 EDT 2010 until: Tue Dec 08 12:10:24 EST 2037 Certificate fingerprints:

    MD5: 17:C5:5C:62:80:56:E1:93:E9:56:44:E9:89:79:27:86 SHA1: 05:F2:E6:59:28:08:89:81:B3:17:FC:9A:6D:BF:E0:4B:0F:A1:3B:4E SHA256: 43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB ```

  • APK signing certificate fingerprint:

    43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab
    

And here is the whole certificate:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAltB15HwBTngiyJ/Wf3ld
IyA+KohD9Tuk5rG/Xy/Q4iWTgmfPyuf79P5ZY0avuvQHD9uR9m+83yNIo9kkMFAo
JPgFF7FW+rAICb3I5jG/qa/ULZBFq1/W0o2eFAr8EwCRexm3xsTfSklM8ffLSmPI
DXNCZdc1r55PCUVfQnqmWlNWP4ezNsosGdJE/LumF7oLGeVu00r+CyU6uR4v2xJx
8bnjwyMgJ+2IYqES8HBuI0zyNpFLk5vPlZgh7LKmwYBX4HDeNCgEbZSxdeHYm9eV
5TVJmgkfW8ZaedU5qNQ4kexQQFissowIOTtXGLV2AKIR6AP0pjTlxX8lubjEQixv
2QIDAQAB
-----END PUBLIC KEY-----

-----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIETEnNADANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJV
SzEQMA4GA1UECBMHVW5rbm93bjERMA8GA1UEBxMIV2V0aGVyYnkxEDAOBgNVBAoT
B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xGTAXBgNVBAMTEENpYXJhbiBHdWx0
bmlla3MwHhcNMTAwNzIzMTcxMDI0WhcNMzcxMjA4MTcxMDI0WjBxMQswCQYDVQQG
EwJVSzEQMA4GA1UECBMHVW5rbm93bjERMA8GA1UEBxMIV2V0aGVyYnkxEDAOBgNV
BAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xGTAXBgNVBAMTEENpYXJhbiBH
dWx0bmlla3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCW0HXkfAFO
eCLIn9Z/eV0jID4qiEP1O6Tmsb9fL9DiJZOCZ8/K5/v0/lljRq+69AcP25H2b7zf
I0ij2SQwUCgk+AUXsVb6sAgJvcjmMb+pr9QtkEWrX9bSjZ4UCvwTAJF7GbfGxN9K
SUzx98tKY8gNc0Jl1zWvnk8JRV9CeqZaU1Y/h7M2yiwZ0kT8u6YXugsZ5W7TSv4L
JTq5Hi/bEnHxuePDIyAn7YhioRLwcG4jTPI2kUuTm8+VmCHssqbBgFfgcN40KARt
lLF14dib15XlNUmaCR9bxlp51Tmo1DiR7FBAWKyyjAg5O1cYtXYAohHoA/SmNOXF
fyW5uMRCLG/ZAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAjk72memAdnf/VnU9pz
77I5DVriwX5NtpHV33p7YPwHGuUJxUFL59XadN8oEeg9NmjEoLGryEufp9lrTN8w
u6aFF60qk+IzsEKXKsBVOkgByevge/V+vpo7PW1mOWUmDlDzuPRtsFMXYeYDQKK9
3DQmCYOX/aVARKF+UkRUn5hptGDKXm4ha29qLbBYC0gMoq/m7GtG7trPpKpFA4gJ
7ODFl4ZT1shfZ45/WiFW0b7dgRd1HmSksNzRQPMECwIYIajZOu2NAbo222yCNyIR
/tcU2aMmBwOM39VlvVKf/GNyEqqiwiTvIrYD7M77W/HghcGR1LJP50KxerP1XU5v
Be8=
-----END CERTIFICATE-----

To confirm that the 1DBA2E89 admin@f-droid.org PGP key is trusted by the index JAR signing key that is built into the F-Droid client app, run these commands:

sudo apt-get install wget vim-common unzip openjdk-8-jdk-headless
wget https://f-droid.org/assets/admin@f-droid.org.jar

# verify against the key embedded in fdroidclient
git clone https://gitlab.com/fdroid/fdroidclient
grep -m1 -Eo '3082035e[0-9a-f]+' fdroidclient/app/src/main/res/values/default_repos.xml | xxd -r -p - > fdroidclient.der
keytool -import -noprompt -trustcacerts -alias fdroidclient -storepass android -file fdroidclient.der -keystore fdroidclient.jks
jarsigner -keystore fdroidclient.jks -storepass android -strict -verify admin@f-droid.org.jar

# verify against the key that signed the index.jar
wget https://f-droid.org/repo/index.jar
unzip -p index.jar META-INF/CIARANG.RSA | openssl pkcs7 -print_certs -inform DER -out index.cer
keytool -import  -noprompt -trustcacerts -alias index -storepass android -file index.cer -keystore index.jks
jarsigner -keystore index.jks -storepass android -strict -verify admin@f-droid.org.jar

# verify against the key that is embedded in this page
wget -O - https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ | openssl x509 -inform pem -outform der -out docs.der
keytool -import -noprompt -trustcacerts -alias docs -storepass android -file docs.der -keystore docs.jks
jarsigner -keystore docs.jks -storepass android -strict -verify admin@f-droid.org.jar

# when satisfied with the verification, import it
unzip admin@f-droid.org.jar admin@f-droid.org.asc
gpg --import admin@f-droid.org.asc
gpg --keyserver keyserver.ubuntu.com --recv-key 37D2C98789D8311948394E3E41E7044E1DBA2E89

fdroidserver

• git repo: https://gitlab.com/fdroid/fdroidserver
  • git tags signed by “Hans-Christoph Steiner <hans@guardianproject.info>” aka “Hans-Christoph Steiner <hans@eds.org>” aka “Hans-Christoph Steiner <hans@at.or.at>” with fingerprint:
    EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
  • or previously “Daniel Martí <mvdan@mvdan.cc>” aka “Daniel Martí <mvdan@fsfe.org>” with fingerprint:
    A9DA 13CD F7A1 4ACD D3DE E530 F4CA FFDB 4348 041C
• source package: https://pypi.python.org/pypi/fdroidserver
  • package tags signed by “Hans-Christoph Steiner <hans@guardianproject.info>” aka “Hans-Christoph Steiner <hans@eds.org>” aka “Hans-Christoph Steiner <hans@at.or.at>” with fingerprint:
    EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 or previously
    5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
  • release command: python3 setup.py sdist upload --sign
• official Debian package: https://packages.debian.org/fdroidserver
  • package source: https://salsa.debian.org/python-team/packages/fdroidserver.git
  • package tags signed by “Hans-Christoph Steiner <hans@guardianproject.info>” aka “Hans-Christoph Steiner <hans@eds.org>” aka “Hans-Christoph Steiner <hans@at.or.at>” with fingerprint:
    EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 or previously
    5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
• official Ubuntu PPA: https://launchpad.net/~fdroid/+archive/ubuntu/fdroidserver
  • fingerprint: 9AAC 2531 93B6 5D4D F1D0 A13E EC46 32C7 9C5E 0151
  • how to setup:

    sudo add-apt-repository ppa:fdroid/fdroidserver
    sudo apt-get update
    sudo apt-get install fdroidserver
    

Repomaker

• git repo: https://gitlab.com/fdroid/repomaker
  • git tags signed by “Nico Alt <nicoalt@posteo.de>” with fingerprint:
    558B E907 1CA6 CA44 DBF5 576B 95A0 DAF7 DBC7 B548
• source package: https://pypi.python.org/pypi/repomaker
  • package tags signed by “Nico Alt <nicoalt@posteo.de>” with fingerprint:
    558B E907 1CA6 CA44 DBF5 576B 95A0 DAF7 DBC7 B548
  • release command: python3 setup.py sdist upload --sign

Privileged Extension

• git repo: https://gitlab.com/fdroid/privileged-extension
  • git tags signed by “Hans-Christoph Steiner <hans@guardianproject.info>” aka “Hans-Christoph Steiner <hans@eds.org>” aka “Hans-Christoph Steiner <hans@at.or.at>” with fingerprint:
    EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556

F-Droid Jekyll Plugin

• git repo: https://gitlab.com/fdroid/jekyll-fdroid
  • git tags signed by “Hans-Christoph Steiner <hans@guardianproject.info>” aka “Hans-Christoph Steiner <hans@eds.org>” aka “Hans-Christoph Steiner <hans@at.or.at>” with fingerprint:
    EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 or “Nico Alt <nicoalt@posteo.de>” with fingerprint:
    558B E907 1CA6 CA44 DBF5 576B 95A0 DAF7 DBC7 B548