F-Droid repository for Trustroots

20 February, 2019 — Platschi

There are happy folks out there that do not (wish to) use the proprietary Play Store to receive their (android) phone applications from. A great alternative is F-Droid, "an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform".

Due to various technological reasons, the Trustroots app currently cannot be integrated into the "official" F-Droid repository. But fear no more, F-Droid by design has been created to allow everyone to create and use their own repositories full of apps they prefer to use. How awesome is that?

Fast forward, after recently realizing that Trustroots must be manually downloaded by users who wish to avoid the "Play Store", I set up my own repository to allow an easy workflow for the Trustroots app installation and upgrades of future versions of the Trustroots app. Everybody is welcome to use this repository for their own purposes.

Quick guide for impatient travellers

The tutorial assumes that you already have F-Droid installed on your device. If not, do it now.

Open F-Droid and visit Settings -> Repositories and click the small + to add a new repository:

Repository address: https://platschi.net/fdroid/repo
Fingerprint: 2740 3908 C610 6BAC BF26 9C4F 94C7 21D7 8E45 EE81 EFA3 71CB 7D3C 069D 0D6C D6E5

Or just scan (or click on) this image and open the link with F-Droid:

Now update your repositories (swipe down within F-Droid App on the Latest, Categories or Updates tab) and after a few seconds, the Trustroots app can be found when searching for it. It should be filed under the category "Navigation".

Note that it sometimes can take a few minutes until the apps show up. Just be patient :)

Of course, there's also an archive available which will include older versions of the apps provided:

Archive adress: https://platschi.net/fdroid/archive
Fingerprint: 2740 3908 C610 6BAC BF26 9C4F 94C7 21D7 8E45 EE81 EFA3 71CB 7D3C 069D 0D6C D6E5

More Details

Of course, if you download the App from Google, you have to trust them not to temper with it. While they most likely won't, all your activity and interaction with the Play Store will be recorded, stored, analyzed, and who knows what. With my F-Droid repository, you only have to trust me to some degree that I did not temper with the source code of the provided apps. The repository and server do not keep any records on the use and visitors of this repository (see privacy notice).

The full repository can be found at platschi.net/fdroid, with both a repository for current versions of the application as well as an archive repository. I will also add other applications that I find useful for my day to day use into the repository, too. You are welcome to simple ignore or use them.

The repository has been set up on a dedicated debian-9 VM, which will be used only to download apps, compile (if necessary) them and update the repository on the server. Again, for verification, the fingerprint of the repository is:

2740 3908 C610 6BAC BF26 9C4F 94C7 21D7 8E45 EE81 EFA3 71CB 7D3C 069D 0D6C D6E5

I recommend to verify and double check this repository key fingerprint with the one shown in your manually added repository on F-Droid called "Platschi on Droid". Additionally, all applications in the repository will be signed will my personal PGP-Key, which you can find on various places around this website. This should give you some sense of knowing that it was most likely me that signed and uploaded the file you're looking at, that is if you trust me and my PGP-Key.

To verify the signature, you can do the following (example with Trustroots App v1.0.0):

$ wget https://platschi.net/fdroid/repo/trustroots-v1.0.0.apk
$ wget https://platschi.net/fdroid/repo/trustroots-v1.0.0.apk.asc
$ wget https://platschi.net/keys/platschi.asc
$ gpg2 --import platschi.asc
$ gpg2 --verify trustroots-v1.0.0.apk.asc

The result should look something like this:

$ gpg2 --verify trustroots-v1.0.0.apk.asc 
gpg: assuming signed data in 'trustroots-v1.0.0.apk'
gpg: Signature made Tue 19 Feb 2019 10:53:36 PM MSK
gpg:                using RSA key A7433BD99150AE38408D4547D76D9EB36B20DB71
gpg: Good signature from "Ralf Platschkowski " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A743 3BD9 9150 AE38 408D  4547 D76D 9EB3 6B20 DB71

Suggestions for other ways to verify the integrity of provided apps, additional apps which you would like to see included, security concerns or other feedback of any form, I am happy to receive by email (PGP-preferred).

Tags: english, datenschutz, internet