{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreib4cme3ykpz5bnv2xhnhj6a5wgpg2igvz7iwbfp3ze7yrjypjpl3u",
    "uri": "at://did:plc:34cg4tn4iwemk3v5k3n3adwf/app.bsky.feed.post/3mlmwl4rmufl2"
  },
  "path": "/t/verify-apk-file-downloaded/34332#post_3",
  "publishedAt": "2026-05-12T03:13:42.000Z",
  "site": "https://forum.f-droid.org",
  "tags": [
    "@waino"
  ],
  "textContent": "In agreement with @waino the original poster: \"I see there is a PGP signature provided with each apk, \" presumably this is the strong contributing factor to the statement in each APK download section: “It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.” I can’t figure out how to check the PGP signature. The key for the F-Droid.apk does not verify another APK. What key is used to check another APK? I tried using the same key used to verify the FDroid APK to verify against the individual APKs which you download using the FDroid APK as the original poster has said each of those do have a PGP signature but they do not verify so the question is presumably what PGP keys are used to sign every individual app I would suppose presumably it’s a key from the buildserver of which builds it which automatically signs it during the process of building it.",
  "title": "Verify apk file downloaded?"
}