How to verify new Syncthing-Fork key?

The APK signing key for GitHub - Catfriend1/syncthing-android: Syncthing-Fork - A Syncthing Wrapper for Android. has changed without being rotated.

How do we verify continuity?

Uninstalling and reinstalling seems insecure as it basically trusts the new key blindly (IIRC).

I notice there is also a PGP key, but I didn’t pin it before the change, so I don’t think I can trust it.

I know this because it gave me an error when I tried to install it normally. I will not uninstall and reinstall as IIRC that will wipe the existing key and do TOFU all over again.

How did you verify my old key?

The pgp key also came around when I set up the CI builds, so is pretty young.

I didn’t. I TOFU’d it. I want to ensure continuity between the old key and the new key.

Did you use apksigner rotate?

No, it just came out of “gradlew assembleRelease” and “gradlew assembleDebug”. The keystore was freshly created by Android Studio back in 2019 and this month for the new key. Thanks for posting the link, next time “hopefully in 5 five years” I’ll know :slight_smile: .

How do you feel about the fact, that Google Play servers know my old key? Do you trust Google?