[tor-commits] [Git][tpo/applications/tor-browser-spec][main] Bug 31161: Document Android signing key creation/usage

Thu Jul 13 08:20:05 UTC 2023


boklm pushed to branch main at The Tor Project / Applications / tor-browser-spec


Commits:
2b940775 by Matthew Finkel at 2023-07-13T10:14:42+02:00
Bug 31161: Document Android signing key creation/usage

- - - - -


2 changed files:

- + processes/APKSigning
- processes/KeyGeneration


Changes:

=====================================
processes/APKSigning
=====================================
@@ -0,0 +1,29 @@
+Signing Tor Browser for Android on a Linux machine
+==================================================
+
+Signing
+-------
+
+1) Ensure pkcs11 configuration file is available
+
+# Create a file containing the Provider arguments
+- cat > /tmp/pkcs11_java.cfg << EOF
+name = OpenSC-PKCS11
+description = SunPKCS11 via OpenSC
+library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+slotListIndex = 0
+EOF
+
+2) Test the configuration file with `keytool` and confirm it can access the smartcard
+- keytool -providerClass sun.security.pkcs11.SunPKCS11     \
+          -providerArg /tmp/pkcs11_java.cfg -keystore NONE \
+          -storetype PKCS11 -list
+
+
+3) Signing the exectuable(s):
+
+- path/to/apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11  \
+                         --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 \
+                         --debuggable-apk-permitted=false                          \
+                         --out tor-browser-${VERSION}-android-${arch}-multi-qa.apk \
+                         tor-browser-${VERSION}-android-${arch}-multi-unsigned.apk


=====================================
processes/KeyGeneration
=====================================
@@ -100,3 +100,71 @@ certtool r CertificateSigningRequest.certSigningRequest
 
 security add-certificates ~/developerID_application.cer
 security find-identity
+
+
+APK Signing Key
+===============
+
+These instructions are for a Nitrokey, as described in
+https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536
+
+Software needed:
+----------------
+
+1) Android SDK build tools
+
+ - Latest (at time of writing):
+   - https://developer.android.com/studio?hl=i#downloads
+   - https://dl.google.com/android/repository/commandlinetools-linux-6609375_latest.zip
+   - 89f308315e041c93a37a79e0627c47f21d5c5edbe5e80ea8dc0aac8a649e0e92
+
+Installation
+------------
+
+1) Requirements
+
+- for the signing: sudo apt-get install nitrokey-app opensc-pkcs11 opensc openjdk-8-jdk
+  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536#note_2651175
+
+`nitrokey-app` should automatically detect the nitrokey if it is connected
+Debian Stretch provides version 0.6.3-1.
+
+  $ nitrokey-app
+
+Expect: "Application started successfully."
+
+
+Key Generation
+--------------
+
+1) Generate 4096-bit RSA key pair
+
+  $ openssl genrsa -out secretkey.pem -aes128 -rand /dev/urandom 4096
+
+2) Create CSR
+
+  $ openssl req -new -key secretkey.pem -out request.pem -subj "/CN=Tor Browser/O=The Tor Project/L=Seattle/ST=WA/C=US"
+
+3) Generate certificate (Google Play requires minimum expiratation date of 22 October 2033
+  # If you plan to publish your apps on Google Play, the key you use to sign
+  # your app must have a validity period ending after 22 October 2033. Google
+  # Play enforces this requirement to ensure that users can seamlessly
+  # upgrade apps when new versions are available.
+  # https://developer.android.com/studio/publish/app-signing#considerations
+
+  $ openssl x509 -req -days 5475 -in request.pem -signkey secretkey.pem -out certificate.pem -extfile openssl.cnf -extensions usr_cert
+
+4) Export secret key and certificate in PKCS12
+
+  $ openssl pkcs12 -export -out secret_and_certificate.p12 -in certificate.pem -inkey secretkey.pem -aes128
+
+5) Extract RSA public key
+
+  $ openssl rsa -in secretkey.pem -pubout -out publickey.pem
+
+Install private signing key on Nitrokey
+---------------------------------------
+
+- pkcs15-init --delete-objects privkey,pubkey,chain                 \
+              --id 3 --store-private-key secret_and_certificate.p12 \
+              --format pkcs12 --auth-id 3 --verify-pin



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/commit/2b940775d781fa8e22d24d7e46b70dc6dc6ec6a6

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/commit/2b940775d781fa8e22d24d7e46b70dc6dc6ec6a6
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20230713/ff30e32c/attachment-0001.htm>
