Notable Public Keys book update (F-Droid, Qubes OS)

Created by Steven Baltakatei Sandoval on 2022-04-11T14:23+00 under a CC BY-SA 4.0 license and last updated on 2023-05-31T19:12+00.

Edit(2023-05-31):Add reboil.com wiki links.

Summary

I updated the Pubkeys book (PDF, Gitlab).

New Sections

F-Droid

I added the Android app FOSS repository that I use. The developers publish OpenPGP signatures for the downloadable APK of the F-Droid client, a package manager similar to the the Google Play Store app. I had started creating a chapter months ago but hadn't fleshed it out yet due to slow loading times of the F-Droid main website.

From what I can tell, F-Droid didn't publish a OpenPGP signature for their main client's APK file until late 2017. Also, there's no obvious place to download the public key (41E7 044E 1DBA 2E89).

Qubes OS

I saw a Reddit post from someone looking to install Qubes OS and was looking for a method to verify PGP software to verify a Qubes OS installation file. Although I've not yet started a GnuPG chapter (I imagine it will contain a lot of history), I decided I could draft a Qubes OS chapter. Such a chapter would contain the fingerprints necessary to reassure someone looking to download and install Qubes OS for themselves.

I was surprised by how detailed the PGP verification instructions available on the main website were. They have a master key (DDFA 1A3E 3687 9494) that signs each release key; there is one release key per major version (e.g. v1.0, v2.0, etc.).

Future sections

Here's the short list of upcoming chapters I plan on writing next when the fancy strikes me.

• GnuPG. Software often used to perform OpenPGP operations.
• LibreOffice. An alternative to Microsoft Office.
• Red Hat. A popular commercial GNU/Linux operating system / service company I don't have much experience with but which uses OpenPGP signatures to sign software.