Due to the “funny business” involved with the Syncthing app available on F-Droid, I decided against using the Syncthing-Fork app on F-Droid.
Instead, I will be using the last release of the syncthing-android app (version 1.28.1, from Dec 3, 2024). So, I downloaded these files
app-release.apk
sha256sum.txt.asc
I verify the sha256sum of the apk file:
~/Downloads/syncthing-android [2] $ cat sha256sum.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
742984454612f382fb6ba7f7f6fc5f309161cc05a1f4692945d70644cf0a9324 app-release.apk
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEN8hFVOfgomHk924e0m5u0ABlSj4FAmdPdacACgkQ0m5u0ABl
Sj44bAgArlLL++8tI2GD2D/T8vQccxJMUdK65vtjyR6hP3qgUyEhpoLBo0Q9uMwX
+1sy4mjrmil8HH/1g5Td3O4dTQJyRb1mUBbpuBjCaYO5n02aKWIZvwctz9bPuZpH
zIm8mgWbPivu7BubIgDYqcuW+1S5dACezosBtnqm49MuLT5D/GyMbYkut3bRXY8C
czho6Qe/rIlrMgZfiLwbhEabZJX2LdnckDVKdjgKSbJU1kIXjkI2R5LLU3/0p+t2
+2GRHO9c5lljtP7XdF6EU4UnNN/E695wh8fGA122sDwfBydaF9HlhS+eddZRn6a9
KscC6fNFAozD31F8G6LUsEQY3CQ6ZQ==
=vAc4
-----END PGP SIGNATURE-----
~/Downloads/syncthing-android $ sha256sum app-release.apk
742984454612f382fb6ba7f7f6fc5f309161cc05a1f4692945d70644cf0a9324 app-release.apk
~/Downloads/syncthing-android $
Then I check the PGP signature on the sha256sum.txt.asc file:
~/Downloads/syncthing-android $ gpg --verify sha256sum.txt.asc
gpg: Signature made Tue 03 Dec 2024 09:18:31 PM UTC
gpg: using RSA key 37C84554E7E0A261E4F76E1ED26E6ED000654A3E
gpg: Good signature from "Syncthing Release Management <release@syncthing.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37C8 4554 E7E0 A261 E4F7 6E1E D26E 6ED0 0065 4A3E
~/Downloads/syncthing-android $
Can someone else verify that the key 37C84554E7E0A261E4F76E1ED26E6ED000654A3E is indeed the “official” gpg key from the 2024 release?
Apart from this I will be using this abandoned version of the android syncthing with:
- NAT traversal – disabled
- Local Discovery – disabled
- Global Discovery – disabled
- Enable Relaying – disabled
- Between the tor onion hidden servers I am hosting on my laptop and on my android devices (thus the preceeding options disabled, peer discovery between my devices are done via the tor network)
I am assuming these will minimize the potential infosec dangers that might arise in the future, as the abandoned syncthing-android app had stopped receiving any possible future security updates. Fair enough to think it that way?