[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #26536 [Applications/Tor Browser]: Create APK signing keys

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #26536 [Applications/Tor Browser]: Create APK signing keys
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 01 Aug 2018 15:50:44 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 01 Aug 2018 11:50:54 -0400
In-reply-to: <046.081b181ca6c5fcade7dc68bda7902281@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <046.081b181ca6c5fcade7dc68bda7902281@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#26536: Create APK signing keys
--------------------------------------+-----------------------------------
 Reporter:  sysrqb                    |          Owner:  tbb-team
     Type:  task                      |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-mobile                |  Actual Points:
Parent ID:  #26531                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by sysrqb):

 Replying to [comment:2 gk]:
 > What's the story in case the key gets compromised/lost and needs to get
 replaced?

 Total sadness.

 >How is that handled? (I am in particular interested in the impact for
 updates)

 Basically, we would generate a new key, and existing users would not be
 able to install the next update because the signing key would be
 different. As a result, we would have two options. 1) release a new
 version of the app signed with the new key, but first an existing user
 would need to uninstall the old version of the app before they can install
 the new version. 2) release a new version of the app using a different
 name (org.torproject.torbrowser2, or something like that). If we use a
 different name, then the user can have both versions installed at the same
 time and they can manually copy any bookmarks from one app to the other.

 We might want to create a plan for how we inform users about this
 situation and what they should do.

 {{{
 If you lose access to your app signing key or your key is compromised,
 Google cannot retrieve the app signing key for you, and you will not
 be able to release new versions of your app to users as updates to the
 original app.
 }}}
 https://developer.android.com/studio/publish/app-signing#self-manage

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26536#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #27381 [Core Tor/Tor]: Bad consensus diffs on 0.3.4 and later
Next by Author: Re: [tor-bugs] #27248 [Core Tor/Tor]: Can we make our node-related structures more efficient?
Previous by thread: Re: [tor-bugs] #26536 [Applications/Tor Browser]: Create APK signing keys
Next by thread: Re: [tor-bugs] #26536 [Applications/Tor Browser]: Create APK signing keys
Index(es):
- Author
- Thread