How to verify new Syncthing-Fork key?

JakeFS · June 9, 2025, 12:24pm

The APK signing key for GitHub - Catfriend1/syncthing-android: Syncthing-Fork - A Syncthing Wrapper for Android. has changed without being rotated.

How do we verify continuity?

Uninstalling and reinstalling seems insecure as it basically trusts the new key blindly (IIRC).

JakeFS · June 9, 2025, 12:27pm

I notice there is also a PGP key, but I didn’t pin it before the change, so I don’t think I can trust it.

JakeFS · June 9, 2025, 12:30pm

I know this because it gave me an error when I tried to install it normally. I will not uninstall and reinstall as IIRC that will wipe the existing key and do TOFU all over again.

Catfriend1 · June 9, 2025, 9:24pm

How did you verify my old key?

The pgp key also came around when I set up the CI builds, so is pretty young.

github.com/Catfriend1/syncthing-android

wiki/Switch-between-releases_Verify-APK-is-genuine.md

main

Syncthing-Fork "Wrapper for Syncthing" has these release channels:

<b>1. F-Droid release build</b>

* <b>"COMMON USER" - please choose this!</b>
* Published on [F-Droid](https://f-droid.org/packages/com.github.catfriend1.syncthingandroid/) and [GitHub release page](https://github.com/Catfriend1/syncthing-android/releases/latest)
* File name is like: com.github.catfriend1.syncthingandroid_fdroid_1.29.6.0_7d59e75.apk
* Certificate hash: yei5Ybhe9jZNx7NG4WE9MgjnfsPqbHCzUhHvfedPEuU=
* Signing Certificate SHA256 fingerprint: <details>C9:E8:B9:61:B8:5E:F6:36:4D:C7:B3:46:E1:61:3D:32:08:E7:7E:C3:EA:6C:70:B3:52:11:EF:7D:E7:4F:12:E5</details>

<b>2. GitHub release build</b>

* If you don't like to use F-Droid for some reason, please choose this!
* Only published on [GitHub release page](https://github.com/Catfriend1/syncthing-android/releases/latest)
* File name is like: com.github.catfriend1.syncthingandroid_release_1.29.6.0_7d59e75.apk
* Certificate hash: 03S43lBXATFDx9FRWgFVmMLfQDvoFgyuAaWMIn5uhqo=
* Signing Certificate SHA256 fingerprint: <details>D3:74:B8:DE:50:57:01:31:43:C7:D1:51:5A:01:55:98:C2:DF:40:3B:E8:16:0C:AE:01:A5:8C:22:7E:6E:86:AA</details>

<b>3. Google Play release build</b>

This file has been truncated. show original

JakeFS · June 10, 2025, 1:40pm

I didn’t. I TOFU’d it. I want to ensure continuity between the old key and the new key.

JakeFS · June 10, 2025, 1:48pm

Did you use apksigner rotate?

Catfriend1 · June 10, 2025, 3:43pm

No, it just came out of “gradlew assembleRelease” and “gradlew assembleDebug”. The keystore was freshly created by Android Studio back in 2019 and this month for the new key. Thanks for posting the link, next time “hopefully in 5 five years” I’ll know .

Catfriend1 · June 11, 2025, 11:02am

How do you feel about the fact, that Google Play servers know my old key? Do you trust Google?