Direct APK.

The same PGPony that ships to F-Droid — the reproducible, fully open-source build, signed with the same release key — as a plain APK you download straight from this site. No Google account, no store client, works on de-Googled devices and in regions where the stores are blocked.

PGPony 3.1.0 for Android Download APK · 13.6 MB
version 3.1.0 size 13.6 MB requires Android 8.0+

Direct installs don't auto-update. Leave an email and each new release arrives with its notes, hash, and link.

PGP-encrypt my notifications (optional)

Paste your armored public key and every release notification arrives encrypted to it. Fitting, for a PGP app. The key is checked at signup — if nothing can be encrypted to it, you'll be told immediately rather than silently receiving nothing.

The confirmation email itself is sent in the clear, so its link stays one click. Encryption begins with the first real notification.

Double opt-in — nothing is active until you click the confirmation link. The address lives on this same self-hosted server, is used only for these notifications, is never shared, and no IP is stored with it. One-click unsubscribe in every email. Prefer no email at all? Watch the releases feed, or install from F-Droid for automatic updates with the same key.

Android will warn you when installing an app from outside a store — that prompt is expected. It appears for every directly-downloaded APK, including this one, and is exactly why the verification steps below exist.

Verify before you install.

Every release is PGP-signed with the NorseHorse release key and published with its SHA-256. An APK from anywhere else claiming to be PGPony should fail these checks — that is the point of them.

Signing key fingerprint (the same key on the public key page):

A0CB C8F6 5AAC E56F 1C5B  7677 53F9 798E 4919 DE62

SHA-256 of PGPony-3.1.0.apk:

482edf9df3802740795de4b3b62a7cbab3bb8c74b2b0a996e1bef7c26a2042e6

On a computer with GnuPG:

curl -O https://pgpony.app/downloads/PGPony-3.1.0.apk
curl -O https://pgpony.app/downloads/PGPony-3.1.0.apk.asc
curl -O https://pgpony.app/assets/pgp/norsehorse.asc
gpg --import norsehorse.asc
gpg --verify PGPony-3.1.0.apk.asc PGPony-3.1.0.apk
shasum -a 256 PGPony-3.1.0.apk

Good output says Good signature from the fingerprint above, and the hash matches the one on this page. On the phone itself, PGPony can verify the detached signature too — see the walkthrough.

APK signing certificate SHA-256 (matches the F-Droid build — check with apksigner verify --print-certs):

446bf9e621222a40c66cd2476e1a97105ccb2a9b16a01a91c1c7eb90765b50dc

Before you switch install sources.

  • Same key as F-Droid. This APK is signed with the same release key as the F-Droid build, so you can move between F-Droid and the direct APK freely — each will update over the other without uninstalling.
  • Different key than Google Play. Play re-signs apps with its own key, so Android will refuse to install this APK over a Play install (and vice versa). Switching requires an uninstall first.
  • No auto-updates. A directly-installed APK does not update itself. Watch the changelog for new releases, or install through F-Droid if you want automatic updates with the same signing key.
  • Reproducible build. The Android app is fully open source (PGPonyAndroid on GitHub) and builds reproducibly — you can compile it yourself and compare against this artifact.
Export your keys before uninstalling. If you are moving from a Google Play install to this APK, back up your keyring first — uninstalling deletes everything stored on the device, and PGPony keeps your keys nowhere else. The private-key backup guide covers it step by step.
Also served over Tor. This page and the APK itself are available on the PGPony onion service — the whole download can happen without ever touching the clearnet:
http://pgponyisur7gxcrfw5ofpjr2sepqul3zgbs66rrd3ughk5qvi4a3t5id.onion/apk
See mirrors for the verified onion and I2P addresses.