[tbb-commits] [Git][tpo/applications/tor-browser-spec][main] Bug 31161: Document Android signing key creation/usage
boklm (@boklm)
git at gitlab.torproject.org
Thu Jul 13 08:20:05 UTC 2023
boklm pushed to branch main at The Tor Project / Applications / tor-browser-spec
Commits:
2b940775 by Matthew Finkel at 2023-07-13T10:14:42+02:00
Bug 31161: Document Android signing key creation/usage
- - - - -
2 changed files:
- + processes/APKSigning
- processes/KeyGeneration
Changes:
=====================================
processes/APKSigning
=====================================
@@ -0,0 +1,29 @@
+Signing Tor Browser for Android on a Linux machine
+==================================================
+
+Signing
+-------
+
+1) Ensure pkcs11 configuration file is available
+
+# Create a file containing the Provider arguments
+- cat > /tmp/pkcs11_java.cfg << EOF
+name = OpenSC-PKCS11
+description = SunPKCS11 via OpenSC
+library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+slotListIndex = 0
+EOF
+
+2) Test the configuration file with `keytool` and confirm it can access the smartcard
+- keytool -providerClass sun.security.pkcs11.SunPKCS11 \
+ -providerArg /tmp/pkcs11_java.cfg -keystore NONE \
+ -storetype PKCS11 -list
+
+
+3) Signing the exectuable(s):
+
+- path/to/apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 \
+ --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 \
+ --debuggable-apk-permitted=false \
+ --out tor-browser-${VERSION}-android-${arch}-multi-qa.apk \
+ tor-browser-${VERSION}-android-${arch}-multi-unsigned.apk
=====================================
processes/KeyGeneration
=====================================
@@ -100,3 +100,71 @@ certtool r CertificateSigningRequest.certSigningRequest
security add-certificates ~/developerID_application.cer
security find-identity
+
+
+APK Signing Key
+===============
+
+These instructions are for a Nitrokey, as described in
+https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536
+
+Software needed:
+----------------
+
+1) Android SDK build tools
+
+ - Latest (at time of writing):
+ - https://developer.android.com/studio?hl=i#downloads
+ - https://dl.google.com/android/repository/commandlinetools-linux-6609375_latest.zip
+ - 89f308315e041c93a37a79e0627c47f21d5c5edbe5e80ea8dc0aac8a649e0e92
+
+Installation
+------------
+
+1) Requirements
+
+- for the signing: sudo apt-get install nitrokey-app opensc-pkcs11 opensc openjdk-8-jdk
+ - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536#note_2651175
+
+`nitrokey-app` should automatically detect the nitrokey if it is connected
+Debian Stretch provides version 0.6.3-1.
+
+ $ nitrokey-app
+
+Expect: "Application started successfully."
+
+
+Key Generation
+--------------
+
+1) Generate 4096-bit RSA key pair
+
+ $ openssl genrsa -out secretkey.pem -aes128 -rand /dev/urandom 4096
+
+2) Create CSR
+
+ $ openssl req -new -key secretkey.pem -out request.pem -subj "/CN=Tor Browser/O=The Tor Project/L=Seattle/ST=WA/C=US"
+
+3) Generate certificate (Google Play requires minimum expiratation date of 22 October 2033
+ # If you plan to publish your apps on Google Play, the key you use to sign
+ # your app must have a validity period ending after 22 October 2033. Google
+ # Play enforces this requirement to ensure that users can seamlessly
+ # upgrade apps when new versions are available.
+ # https://developer.android.com/studio/publish/app-signing#considerations
+
+ $ openssl x509 -req -days 5475 -in request.pem -signkey secretkey.pem -out certificate.pem -extfile openssl.cnf -extensions usr_cert
+
+4) Export secret key and certificate in PKCS12
+
+ $ openssl pkcs12 -export -out secret_and_certificate.p12 -in certificate.pem -inkey secretkey.pem -aes128
+
+5) Extract RSA public key
+
+ $ openssl rsa -in secretkey.pem -pubout -out publickey.pem
+
+Install private signing key on Nitrokey
+---------------------------------------
+
+- pkcs15-init --delete-objects privkey,pubkey,chain \
+ --id 3 --store-private-key secret_and_certificate.p12 \
+ --format pkcs12 --auth-id 3 --verify-pin
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/commit/2b940775d781fa8e22d24d7e46b70dc6dc6ec6a6
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/commit/2b940775d781fa8e22d24d7e46b70dc6dc6ec6a6
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20230713/f4663d84/attachment-0001.htm>
More information about the tbb-commits
mailing list