Our new F-Droid App Repository (out of date!)

Update: this blog post has been changed to reference our new FDroid repository at https://guardianproject.info/fdroid. If you are still using the old one originally described here which has the URL https://guardianproject.info/repo, you should switch to the new repo as soon as possible!

For all of you out there looking for a safe way to find and download apps outside of the Play Store (aka Android Market) or random, sketchy third-party app stores and file sharing sites, then your wait is over:

The FDroid Repository is an easily-installable catalogue of FOSS applications for the Android platform. The server contains the details of multiple versions of each application, and the Android client makes it easy to browse, install them onto your device, and keep track of updates.

In other words, F-Droid is like an app store for open-source. More importantly, there is not just one “store”. Anyone can deploy their own repositories of apps, or Repos, much like the way the Debian repo model works.

We’ve now begun creating our own hosted F-Droid compliant repo where we can easily provide the latest greatest versions of all our apps. As we update the apps, F-Droid should notify you and allow you to update quickly and without hassle.

Quick Steps for using F-Droid with Guardian Project Repo

1) Install the F-Droid Client app. You can get it here: https://f-droid.org/FDroid.apk

2) Run the app and go to Menu > Manage Repos

3) Turn on the “Guardian Project Official Releases” repo

3) Enter: https://guardianproject.info/repo/

4) Optionally, disable the default repo if you just want GP apps

5) Return to the main screen, and Menu > Update

6) Verify the repo fingerprint by clicking on the repo to see the repo details view. The fingerprint you see there should match this: 59050C8155DCA377F23D5A15B77D3713400CDBD8B42FBFBE0E3F38096E68CECE.

From here you will see the “Available” tab for apps you don’t have the “Installed” tab for apps you have the latest version of, and the “Updates” tab for apps you have, but that are not up to date.

You can open each app by browsing and selecting them, and then via Menu options, choose to install them, or access their websites, source code links, or issue tracking pages.

74 thoughts on “Our new F-Droid App Repository (out of date!)

    1. Yes, it did. Our previous directory and keystore somehow was wiped out.

      However, the underlying APKs are still signed by the same guardian project key.

    1. No it is not. The app, as you discovered, is now called InTheClear, and is on a development hiatus at the moment. We hope to revisit and update it in the near future.

    1. Which apps? Are you using our repo (you must add it manually to F-Droid) or are you just looking at the version of our apps in the default repo?

  1. This is just as unsafe as Google. The .apk file needs to be downloadable to a PC, where it can be checked, then transferred to the tablet and installed there. Nothing else is safe.

    1. > .apk file needs to be downloadable to a PC

      This is already possible.

      > as unsafe as Google

      F-droid repos are less unsafe than google’s malware tolerance play store. google play allows the nefarious majority to categorize their adware as free; this is a contradiction in terms.

      Adware shifts the COST from financial to human dignity trafficking.

      Treating privacy, a fundamental right and prerequisite to liberty, as a commodity is vile per se. Worse is profiting from this human trafficking whether or not there is informed consent.

      Profit by any means necessary is not only tolerated by google, but promoted as they are frequently [one of] the ad serving platform[s] employed. Don’t misunderstand. I’m not a fan of “fair” trade tithing, carbon tax, coerced union dues, raising taxes to cool the sun, ponzi schemes, erroneous social “justice”, subjective reality, “redistribution” of wealth, moral relativism, genocide, greenness, “renewable” energy despite thermodynamics, fear of biochemical solar energy, the ‘should brush’, or similar idiocy. Corporations aren’t evil by construction, nor is profit.

      Ads are useful for sales but I draw a distinction between passive ads (billboards, magazines, traditional tv, shirts, logos, et al) and aggressive ads which not only look back at you but stalk you in RL and the interweb (third party loaded ad servers, behavioral stalking, false privacy policies, gps breadcrumbs, collating with those you contact, etc) building (collecting, buying, selling) an ever creepier eternal profile on the user that would have made the gestapo drool with lust. The SS would have required everyone to wear google Glass.

      Had google not been in the business of stalking users or selling ads there might not have been as large a concern. There are several generations who’ve remained internets newbies. They are raping the culture and increasing the noise to signal ratio of the interweb. You can drive the sheep to water but you can’t make them drink although drowning them is tempting, and waterboarding them out of ignorance more so.

      Giving consent does NOT mitigate.

      > The .apk file needs to be downloadable to a PC, where it can be checked

      The repo could provide hashes of the apk and links to the online tool(s) used to vet content like iseclab’s anubis. You then could generate a hash locally and compare to either resource.

      > (all third party interweb ads in app is malware)

      Absolutely true! No one can afford the irreparable harm done by using adware. Deliberately providing false information to collection is useful but does nothing to remove the already harvested information.

      > F-droid needs to become much much more anti-adware.

      I am not pleased with the simple notice in red text on the app info page in the repo client. Plenty of F-droid contributors remove-, null-, or disable the malware [adware, spyware, tracking, logging, unique id harvesting] components. All contributors ought perform this public service

      > is now called InTheClear

      I’m watching it develop with interest. Please provide an alternative to old fashioned sms texting also other than email.

      1. It is true that malware scanners are helpful, and Google’s Play Services provides a pretty good one, in addition to their own “Bouncer” scanner for the Play Store itself. Luckily, there are other third party scanners like Lookout which can be installed on devices that do not come with Google Play.

  2. Says download unsuccessful due to space on my galaxy note ive deleted most of my apps. Why is this still showing

  3. you need to give more guidance. Once installed the repo, click to install an app (Orbot, for example) and there’s no way there other than the Play store or Chrome, so what’s the point?

  4. So why is it, that in F-Droid, where I’d like to get most of my apps from (rather than the Google Play Store), the latest version of Gibberbot is 0.0.11-RC5 from 06/05/13, while the Google Play Store tells me something about Version 12 and it now being Chatsecure?

    Don’t you update the independent Open Source repositories any more, but rather put everything in the Play Store, so that Google knows exactly who is interested in privacy?!? Well, that’s clever, isn’t it?

      1. Yes but you must modify your BB10 by hitting it with a hammer and dropping it down the toilet first.

    1. This whole “project” has obveously been created to either Aid in Data Mining by Government Organizations (NOT A BAD THING, AS I HOPE THIS IS THE CASE), or to Cirucumvent it (although not currently, illegal, in most cases) seems rather unnessesary, immoral, suspicious and un-needed to become Anon on the internet, unless you are either:
      1-Super Paranoid
      2-Preforming Illegal Activites(or attempting to) w/o detection
      3-Part of an Organization that is not supposed to exist (with malicious intents in mind)
      4- Are attempting or prepairing a cyber/physical attack, where Anonimity and ID Prevention are essential (unless this is being done by One Gov’t ORG vs Another) this is infact a crime; as to my knowladge there is NO VALID LEGAL REASON TO INITIATE AN ATTACK, as a non-sanctioned Citizen in ANY Country(or ATTEMPT TO).
      5- Attempting to Hide Illegal Transfers or Products/Payments
      6- Transmission of Illegal Content
      7- Set-up of “off the books” P2P meeting to discuss any of ABOVE
      8- Attempting to compromise an already established Secure Server
      9- Are involved in illegal Espionage (seeing as ACTUAL Clandestine Service Officers, not involved in non-sanctioned actions, are generally protected and Anonomized by their Host Organization, not left to “figure it out on their own”, as this would put not only the Officer/Agent, Their Family and HOST NATION at SEVERE RISK if not done correctly) or are attempting to sell/trade/transfer Illegally Obtained Classified Documents*
      *-I do belive there are certain instances where this would infact be needed durring a SANCTIONED OP(e.g. Blown Cover ID, Asset Location, or to “Find a way out”…however, I am almost sure that most if not all Intel communities, have ways to do this on their own that do not involve the use of OPEN-SOURCE SERVICES, as they are infact OPEN to the network of users providing remote access for the service…therfore, NOT ACTUALLY SECURE AMONG USRERS as it would appear that all “shared” connection points are accessable ANY user of the system!!!!)
      10- AND FINAL: ARE ATTEMPTING TO CIRCUMVENT CENSORSHIP EMPOSED BY COUNRY OF ORIGIN’S GOVERNMENT (ALSO ILLEGAL)…not nessesarily opposed to this if Countries where you can ACTUALLY be punished for your opintion (and thoughts/word) NOT ILLEGAL ACTIONS.

      CASE IN POINT: Posts like “Sobhan Mohammadpour says:
      2013/05/20 at 5:48 am
      Tor and Fdroid are quite nice in Iran :)”
      -seem to indicate the true intent of this “Program” (or atleast that particular userea intentions) and point to the Absurdity of this even being Available to ANYONE.

      **Personal Opinion Only**

  5. Keep getting “file corrupted” when trying to download from f-droid. Has been happening across 3 different phones.

  6. F-Droid 0.58 has the option to enter a repo’s fingerprint alongside its URL. Can you please update this post with the fingerprint? Thanks and greetings!

    1. Yes, good idea, here is the fingerprint of the FDroid repo signing key:

      I also added it above. It is probably easier to verify it after the fact than type that whole long string.

  7. Fdroid official repo is pushing out a new version of orbot with a different fingerprint. I wont load it myself but it looks fishy – and if it is it is troubling to see it pop up.

    1. Apps distributed via the official FDroid app repository are signed by a different key than the apps distributed via Google Play or our direct releases page. If you have FDroid installed but installed Orbot from Google Play, then you should set Fdroid to ignore Orbot releases. You can do that from the menu in the Orbot page in FDroid.

  8. The fingerprint was missing the first two digits (59), it should read: 59050C8155DCA377F23D5A15B77D3713400CDBD8B42FBFBE0E3F38096E68CECE. Thanks to Adam Pritchard for spotting and reporting it.

    1. I added the repo to F-Droid earlier today. The finger print that F_Droid shows me does _not_ have the first two digits, “59”; the rest of characters are the same. What gives?

      1. If you are talking about the fingerprint, the text has already been updated but not the screenshots.

    2. great tool, great idea, great everything. but you just don’t get it to work.

      just wasted 60min. trying to adopt, but your fdroid repo is flawed over the place, nothing secure. see posts above.

      signing keys again (still?) don’t match. will need to stay with google’s playstore. what pity!


      PS: thanks for Orbot, tough. gorgeous!

      1. There was a bug in the signatures that has been fixed, sorry to hear that you wasted time with it. The latest test versions should “just work” with the repo from this article, and our new debug repo. If it does not just work, please let us know by filing a bug report:


        Or sending an email or finding us in IRC:

        Here is the latest version of FDroid, including test versions:

  9. Why is there a discrepancy between Orbot versions and release dates? 13.0.7-BETA-1 added on 26/10/2012.

    My full apologies here but am green when it comes to development.

    1. There were some FDroid-specific releases done in order to fix building Orbot for FDroid. Hopefully the release process will be more in sync now.

  10. Downloading Privacy apps off Google is fine. Loads of people regularly download privacy apps off Google Play Store. Security experts like myself all advise internet/network users to protect their privacy.

    Using privacy protection applications and strategies is a good way to protect against identity theft, phishing and fraud. Using alternate credentials and protecting your privacy is not a crime or does not make you suspicious, rather it helps prevent crime.

    I always advise clients not to use their real identity online unless it is completely necessary (like for online Government services), and protect their personal information such as real name, Login name, passwords, email addresses, home address, phone numbers, etc by using Data Protection software (which often is available in AV or firewall software these days).

    Users should also use password manager software, and encryption like TrueCrypt for their personal computer storage hard drives, SSDs, USBs, DVDs and backup NAS devices where possible. Also GPG or similar software should be used to secure all personal email. You should have a couple of online email addresses for useless online stuff that will end up getting that email account spammed, or people with poor security practices, out of date or no antivirus/firewall, and that can’t use Bcc or Cc fields correctly.

    If you have more than one computer or laptop then you should leave one for personal work and any personal information permanently offline with it’s network disabled and all hard drives and storage encrypted. You can then use your other computer/laptop for online activities. If you use the same internet security software on both systems you can use a secure method to download updates like Tor and save the update files via a sandbox (using something like Sandboxie), then after scanning the update files for Rootkits, Trojans, Viri and other Malware, you can then extract just the update files needed from the Sandbox to a USB device for transferring to your offline system.

    Privacy and security is not a criminal act, it’s intelligent and helps you avoid cyber crime and identity or financial theft. The more people understand security and practice good security and privacy techniques, the less victims and income available to cyber criminals.

  11. There are currently two updates that are in the F-Driod repository but not in the Guardians Project’s own repository. They are Orweb 0.5.2 –> Orweb 0.6, and PixelKnot 0.3-RC1 –> PixelKnot 0.3.1. Why are these updates not in the Guardian Project’s own repository? Are they fake?

  12. Thie guardianproject repo doesn’t seem to work with FDroid 0.66. Update and select “all” category, shows nothing.

  13. F-droid shows the following updates from the guardianproject.info repo:
    – Orbot ->
    – Orweb 0.6 -> 0.6.1

    The “Added on” dates for both updates are in October 2012, making them a couple of years _older_ than the previous versions.

    Would you confirm that the updates are correct despite the dates, and explain the older dates?

    1. Yes, those are updates coming from us. I’m not sure about the “Added on” date issue. Another way to double-check is to check the OpenPGP signatures on the APKs. Here is the APK and its OpenPGP signature:


      Download those two files into the same folder, then on a machine with GnuPG installed, run:

      gpg --recv-key A801183E69B37AA9
      gpg --verify Orweb-release-0.6.1.apk.asc

      You can find all of the signing keys documented on our Signing Keys page.

    1. Yes, sometimes it takes a bit longer for us to update our own fdroid repos than we would like. We have a rigorous offline process for generating the repos, while the official FDroid repo does all of its build online, and automatically (for the most part).

      The APKs in /releases will always be the latest available from anywhere.

      1. Our fdroid repo is now up-to-date. We’re working on automating our whole release process as much as possible to keep things in sync and updated.

  14. The government is useless as snot. All your data is data mined. The Tor project was funded to stop US gov being data mined as they were stupid enough to teach Al Quida about their intelligence sat network when they dropped 30,0000 militia into Afghanistan to beat the Soviets to the huge gas fields as Iran didn’t want a great gas pipeline running through their country.
    Al Quida promptly used old soft drink cans to build their own satellite dishes and captured CIA transmitters to hack back into US intel systems every time they thought they were doing the eavesdropping.

    Post 9/11 they knew they had a problem – their crap was p0wn3d! So they took THINTHREAD (NSA mass data mining tool then in development) stripped out the hardware and software component that encrypted all public communications that did not have a proper wiretap warrant, and re-purposed it to collect all communications either internal, exiting, entering or passing through US jurisdiction. This program was then expanded to all US partners to tap all 20 major undersea cables, mobile telephone, sat, radio and other communication systems. This was all done without legal authority and against the express orders of the US Attorney General and against good advice from the US justice committee that it would be illegal. The program kept getting shut down then restarted again using various legal theories, until finally Bush sought approval from congress to try and backdate it’s legality and get a ‘legal’ super warrant that allows all communications to be mined.

    So everything is mined. Tor is not bad. Sure they collect everything but it is encrypted and stored until they can break the encryption or you become high priority enough to divert significant resources to. If you use Tor or know how to properly set your browser to use encryption that isn’t NSA backdoor then it makes it much harder for them.

    Tor is simple and works, though researchers have been attacking hidden services for FBI and other attempts are made at eavesdropping Tor entry or exit nodes and trying to populate many nodes. The more people that run Tor nodes the better the system works and the harder to eavesdrop. Run good security practices and encrypt everything. Any computer can be broken into if targeted with enough resources or physical access gained, this is why you should keep an interest in all IT security matters and practice good security like not plugging other peoples USB gear or not use a phone or computer at all. Actually I encourage not using smartphones at all as they are very easy to hack and follow, though if you always keep them in ‘airplane mode’ in or near your house, use burner SIMs and a custom ROM with all third party apps removed (Titanium Backup let’s you easily remove third party apps), they are slightly better (also ensure smartphone is encrypted and disable location tracking and install a firewall that allows you to properly configure IPtables). Best smartphone is one in pieces. Get a cheap laptop and run Tails or build your own custom ROM of Debian/GNU. Don’t use the cloud at all.

    Learn stuff or die trying. Don’t be an idealist or extremist/fundamentalist/patriot etc. Read books and use internet for learning about intelligent stuff as all those stupid cat videos and images contain rootkits to hack your firmware.

  15. I am being constantly narrated by my so called account security go my in phone mobile apps. My pages on Android never fully load. My settings and apps ‘re always altered or edited . I am being taken advantage of due to my economical low income conditions. I am a 2 year survivor of witnessing first hand how evil and deceitful they are. They continue haccking from outside Google buildings. They have tried hard to smother my use of Android but thanks to F-droid and yourselves The Guardian Project and GitHub ans others. I am still alive and kicking their defeat with this little Android ZTE Concord UK.

  16. Please get with the F-Droid admins to help with transitioning between signing keys when adding a new repo.

    For example, I would prefer to use your repository within F-Droid for downloading/installing GuardianProject software and apps. Unfortunately, since I’ve already installed most of these apps through the normal F-Droid repo, the applications have been signed with different keys.

    It would be convenient to be able to ‘verify’ the integrity of a new signer, and have that new signer be the governing signer, replacing the previous.


  17. Orbot on my android can not protect few sites to access I tap app button but same result & tap on Bridge button & requested recommended by app (4) via email but never recive any reply to requested one by mail the question is that can I solve my problem for full protection my andriod or not, please note I’m from Iran.
    Thanks & Best Regards

  18. I can’t seem to find many of the apps mentioned on GuardianProject.info on F-Droid, only on Google Play? There are lots of great apps on F-Droid, it’s just that the Guardian Project ones look the most useful.

Leave a Reply

Your email address will not be published. Required fields are marked *