How do I verify / validate the apk's available here on github? Are the checksum hashes not on alternate servers from github for assured validation?

[M0nty-Pyth0n]

Hi, Catfriend - How do I verify / validate the apk's available for download here on github? I did see a similar posting for this https://github.com/Catfriend1/syncthing-android/wiki/Switch-between-releases_Verify-APK-is-genuine but are the checksum hashes not also on alternate servers from github for assured validation (the apk and key are on the same server)? I was wondering too if there were sha256 sums or pgp keys anywhere.

I am trying to back out of the gplay nightmare with android 11 / synthing-fork limitition so I can install a version that allows me to export my existing synthing-fork setup.

I think I will end up installing the google play full version, export the pre-existing config, uninstalling the google play version, and finally installing the github vers and importing the saved config. I'd like to install F-Droid app to install the your F-Droid version of the syncthing-android app but no one can give me a straightforward explanation of how to verify their F-Droid app -- various tools error out when trying to do verifi9cations and other sites say don't trust the F-Droid's apk .

I'm trying to get this behind me and move on. So far my synchronizations/backups have been halted for days. So it stinks. Thank you googl android for your surprises and schizophrenia!! I still remember their stroke... erh, of genius ...(?) with sd card access where devices would get stuck in infinite reboot loops when the device tried to access or scan the sdcard at boot time... brilliance

Anyway, thanks in advance.

[Catfriend1]

@M0nty-Pyth0n Hi, it's not like a file checksum but APKs are signed by a RSA key part of their authors and/or Google Play. If you for example download Gplay full from GitHub, you can run the keytool command mentioned on the wiki article and get "dQAnHXvlh80yJgrQUCo6LAg4294=". This string is a checksum of my own signing certificate, so getting it means the APK is genuine. If you get something else that would mean the file you downloaded is not the file I've originally released.

I myself consider F-Droid very safe. You can go to https://f-droid.org/repo/org.fdroid.fdroid_1011050.apk and you're onboarded safely :-). F-Droid has its own APK signature and they also keep their signing keys very safe as I've read on their forum a while ago.

[M0nty-Pyth0n]

Hi Catfriend, Thanks so much for replying. Hypothetically speaking then, there is no way someone could edit an apk, put in their own key, and publish the apk and overwrite with their key on same wiki? This device of mine I will be installing on is one of my more trusted/carefully updated devices (well, apart from the auto installation of android 11 anyway...), so I'm paranoid of not properly verifying things before I install. I did previously run that jarsigner command on my Linux machine and it did match the wiki published key.

Now that you confirmed the key I obviously know it was not tampered with. I have very little experience creating apks and no experience with properly signing them (java jar files, a little). So I am more familiar with simple checksums and pgp keys. Thus my confusion.

Do publishers also put their keys in keystores as well? When working with QubesOS (again not an apk scenario), they would have the important keys on multiple separate devices / in separate mediums -- so no one could compromise the system by hacking just a single server. For instance they put their keys on their main web site and then at least on one other, in a discussion group posting on a separate web server (a reference which could be mentioned later and also easily searchable online).

Since I am talking directly with you, would you be so kind as to confirm the keys for the github and FDroid versions of Syncthing-fork mentioned on the wiki?

As far as the FDroid app market installer, that link I previously included was their recommendations for verifying yet their recommended commands errored out for me. I just think if you can't verify something as significant as a gplay stor replacement market app, it could become a malicious backdoor gateway real fast. How would you go about verifying their apk installer for FDroid? Maybe again I'm confusing the usual checksum or pgp verification (but then again I seem to remember they did not mention an additional, alternate site for cross referencing the apk fingerprints).

Anyway I run on.

Thanks again for your quick help and for developing the Syncthing-fork :)

Cheers!

Anyway

[Catfriend1]

@M0nty-Pyth0n So what you've did for verifying looks ok. It's just RSA knowledge I have about this. Devs keep the private part of the signing key and that guarantees no one else can use it to sign. But an attacker could make a package having the same package ID and sign it with their own key (generating another hash as mentioned on the wiki). The wiki hashs are still applicable as I've never changed my keys. For F-Droid, please kindly ask your question at https://forum.f-droid.org . There are many security-conscious people knowing better than me and I think they'll be happy to answer your question. Spoken in generic: You only have a risk when installing an APK for the first time (as then your OS doesn't know the developers correct signature) and afterwards, Android will only let you update if the new APK is also signed with the signature of the older version - meaning you can only update from the same dev+release combo.

UPDATE: https://forum.f-droid.org/t/apkpure-apk-verification-reports-modified-untrusted-modified-f-droid-apk-file

[M0nty-Pyth0n]

Thanks Catfriend. Sorry I don't mean to belabor you. So just as a sanity check :), would you mind looking closely at these and confirm these are the applicable keys?: (I found these here on github).

GitHub APK: 2ScaPj41giu4vFh+Y7Q0GJTqwbA=

F-Droid APK: nyupq9aU0x6yK8RHaPra5GbTqQY=

Already confirmed:
Google Play APK: dQAnHXvlh80yJgrQUCo6LAg4294=

I guess I worry that they are vulnerable being on the same server.

I appreciate your taking the time to answer!

(and yes that was my posting on FDroid. That's why I originally included a link as a related reference :)

Cheers and be Blessed!!

[Catfriend1]

I've got on my local machine:

release_types = {
        "2ScaPj41giu4vFh+Y7Q0GJTqwbA=": "GitHub",
        "nyupq9aU0x6yK8RHaPra5GbTqQY=": "F-Droid",
        "dQAnHXvlh80yJgrQUCo6LAg4294=": "Google Play"
    }

[M0nty-Pyth0n]

Thank you for the latest correspondence. That's exactly what I was looking for!

Cheers

[M0nty-Pyth0n]

Well I'm back up and running but with the github version this time. I guess until I move over to f-Droid, I'll have to keep checking for new release notifications for your github version and manually upgrade from git.

Incidentally, what is the best way to securely delete the export I created for the switch over? I used Simple File Manager Pro from Simple Mobile Tools but did not see a Trash or Recycle bin to empty. Or does Android securely delete files when you remove them? I don't want them hanging around in a temporary deleted state or in some recent file cache either. It doesn't sound like I should keep these around unsecured at any rate (unless I've saved them to my encrypted storage).

Anyway, thanks again. I really appreciated your help! :)

(And I promise I won't keep bugging you with questions...)

Cheers

[Catfriend1]

hmm... I don't know of Android supports something like sdelete (Windows tool). If the manufacturer hasn't added one, there should be no trashcan. Simple File Manager is pretty good, using it as well here.