[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #26536 [Applications/Tor Browser]: Create APK signing keys
#26536: Create APK signing keys
--------------------------------------+-----------------------------------
Reporter: sysrqb | Owner: tbb-team
Type: task | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile | Actual Points:
Parent ID: #26531 | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Changes (by sysrqb):
* status: new => needs_information
Comment:
It appears we can create and store the key offline.
I was hoping we could create an "identity" key and a "signing" key for
Android, but it seems like this won't work. Specifically,
[[https://source.android.com/security/apksigning/v2|newer versions]] of
Android support signing an app where the public key for verifying the
signature is stored in two places. The first place is at the end of the
signing block. This key has only one purpose - for verifying the signing
block signatures are valid. The second place is the public key is stored
within the signing block but here we may include a certificate chain. I
was hoping we could create a long-term identity key and then a short-term
signing keys, similar to PGP primary key and subkeys. However, from my
code diving, Android does not verify the certificate chain embedded in the
app. Android only verifies the
[[https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java#376|first
(leaf) certificate]] in the embedded certificate chain contains the same
public key as the public key provided at the end of the signing block used
for verifying the signature.
We should generate the key offline - Hans published a nice script for this
(although its a little old) https://github.com/guardianproject/smartcard-
apk-signing/blob/master/openssl-gen/gen.sh
We can use a Yubikey or Nitrokey for storing the key. I'll feel more
comfortable if we have more than one copy of the key.
Newer versions of Android support something called
[[https://android.googlesource.com/platform/frameworks/base/+/master/services/core/java/com/android/server/pm/PackageManagerService.java#17745|(upgrade)
keysets]] for verifying the apps authenticity. I'm not sure how we can use
it yet. I think it allows for adding more signatures using more keys, but
I'm not sure if there's a way we can use it for rotating keys.
With all this being said, we can likely generate our first APK signing key
using a similar method as the Tor Browser PGP signing key - using an
offline laptop booted with TAILS, etc.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26536#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs