[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [Git][tpo/applications/tor-browser-spec][main] Bug 31161: Document Android signing key creation/usage

Title: GitLab

boklm pushed to branch main at The Tor Project / Applications / tor-browser-spec

Commits:

  • 2b940775
    by Matthew Finkel at 2023-07-13T10:14:42+02:00 
    Bug 31161: Document Android signing key creation/usage

2 changed files:

Changes:

  • processes/APKSigning
    1 
    +Signing Tor Browser for Android on a Linux machine
    2 
    +==================================================
    3 
    +
    4 
    +Signing
    5 
    +-------
    6 
    +
    7 
    +1) Ensure pkcs11 configuration file is available
    8 
    +
    9 
    +# Create a file containing the Provider arguments
    10 
    +- cat > /tmp/pkcs11_java.cfg << EOF
    11 
    +name = OpenSC-PKCS11
    12 
    +description = SunPKCS11 via OpenSC
    13 
    +library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
    14 
    +slotListIndex = 0
    15 
    +EOF
    16 
    +
    17 
    +2) Test the configuration file with `keytool` and confirm it can access the smartcard
    18 
    +- keytool -providerClass sun.security.pkcs11.SunPKCS11     \
    19 
    +          -providerArg /tmp/pkcs11_java.cfg -keystore NONE \
    20 
    +          -storetype PKCS11 -list
    21 
    +
    22 
    +
    23 
    +3) Signing the exectuable(s):
    24 
    +
    25 
    +- path/to/apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11  \
    26 
    +                         --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 \
    27 
    +                         --debuggable-apk-permitted=false                          \
    28 
    +                         --out tor-browser-${VERSION}-android-${arch}-multi-qa.apk \
    29 
    +                         tor-browser-${VERSION}-android-${arch}-multi-unsigned.apk

  • processes/KeyGeneration
    ... ... @@ -100,3 +100,71 @@ certtool r CertificateSigningRequest.certSigningRequest
    100 100
    101 101 
     security add-certificates ~/developerID_application.cer
    102 102 
     security find-identity
    103 
    +
    104 
    +
    105 
    +APK Signing Key
    106 
    +===============
    107 
    +
    108 
    +These instructions are for a Nitrokey, as described in
    109 
    +https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536
    110 
    +
    111 
    +Software needed:
    112 
    +----------------
    113 
    +
    114 
    +1) Android SDK build tools
    115 
    +
    116 
    + - Latest (at time of writing):
    117 
    +   - https://developer.android.com/studio?hl=i#downloads
    118 
    +   - https://dl.google.com/android/repository/commandlinetools-linux-6609375_latest.zip
    119 
    +   - 89f308315e041c93a37a79e0627c47f21d5c5edbe5e80ea8dc0aac8a649e0e92
    120 
    +
    121 
    +Installation
    122 
    +------------
    123 
    +
    124 
    +1) Requirements
    125 
    +
    126 
    +- for the signing: sudo apt-get install nitrokey-app opensc-pkcs11 opensc openjdk-8-jdk
    127 
    +  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536#note_2651175
    128 
    +
    129 
    +`nitrokey-app` should automatically detect the nitrokey if it is connected
    130 
    +Debian Stretch provides version 0.6.3-1.
    131 
    +
    132 
    +  $ nitrokey-app
    133 
    +
    134 
    +Expect: "Application started successfully."
    135 
    +
    136 
    +
    137 
    +Key Generation
    138 
    +--------------
    139 
    +
    140 
    +1) Generate 4096-bit RSA key pair
    141 
    +
    142 
    +  $ openssl genrsa -out secretkey.pem -aes128 -rand /dev/urandom 4096
    143 
    +
    144 
    +2) Create CSR
    145 
    +
    146 
    +  $ openssl req -new -key secretkey.pem -out request.pem -subj "/CN=Tor Browser/O=The Tor Project/L=Seattle/ST=WA/C=US"
    147 
    +
    148 
    +3) Generate certificate (Google Play requires minimum expiratation date of 22 October 2033
    149 
    +  # If you plan to publish your apps on Google Play, the key you use to sign
    150 
    +  # your app must have a validity period ending after 22 October 2033. Google
    151 
    +  # Play enforces this requirement to ensure that users can seamlessly
    152 
    +  # upgrade apps when new versions are available.
    153 
    +  # https://developer.android.com/studio/publish/app-signing#considerations
    154 
    +
    155 
    +  $ openssl x509 -req -days 5475 -in request.pem -signkey secretkey.pem -out certificate.pem -extfile openssl.cnf -extensions usr_cert
    156 
    +
    157 
    +4) Export secret key and certificate in PKCS12
    158 
    +
    159 
    +  $ openssl pkcs12 -export -out secret_and_certificate.p12 -in certificate.pem -inkey secretkey.pem -aes128
    160 
    +
    161 
    +5) Extract RSA public key
    162 
    +
    163 
    +  $ openssl rsa -in secretkey.pem -pubout -out publickey.pem
    164 
    +
    165 
    +Install private signing key on Nitrokey
    166 
    +---------------------------------------
    167 
    +
    168 
    +- pkcs15-init --delete-objects privkey,pubkey,chain                 \
    169 
    +              --id 3 --store-private-key secret_and_certificate.p12 \
    170 
    +              --format pkcs12 --auth-id 3 --verify-pin


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help 

    _______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits