boklm pushed to branch main at The Tor Project / Applications / tor-browser-spec
Commits: 2b940775 by Matthew Finkel at 2023-07-13T10:14:42+02:00 Bug 31161: Document Android signing key creation/usage
- - - - -
2 changed files:
- + processes/APKSigning - processes/KeyGeneration
Changes:
===================================== processes/APKSigning ===================================== @@ -0,0 +1,29 @@ +Signing Tor Browser for Android on a Linux machine +================================================== + +Signing +------- + +1) Ensure pkcs11 configuration file is available + +# Create a file containing the Provider arguments +- cat > /tmp/pkcs11_java.cfg << EOF +name = OpenSC-PKCS11 +description = SunPKCS11 via OpenSC +library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so +slotListIndex = 0 +EOF + +2) Test the configuration file with `keytool` and confirm it can access the smartcard +- keytool -providerClass sun.security.pkcs11.SunPKCS11 \ + -providerArg /tmp/pkcs11_java.cfg -keystore NONE \ + -storetype PKCS11 -list + + +3) Signing the exectuable(s): + +- path/to/apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 \ + --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 \ + --debuggable-apk-permitted=false \ + --out tor-browser-${VERSION}-android-${arch}-multi-qa.apk \ + tor-browser-${VERSION}-android-${arch}-multi-unsigned.apk
===================================== processes/KeyGeneration ===================================== @@ -100,3 +100,71 @@ certtool r CertificateSigningRequest.certSigningRequest
security add-certificates ~/developerID_application.cer security find-identity + + +APK Signing Key +=============== + +These instructions are for a Nitrokey, as described in +https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536 + +Software needed: +---------------- + +1) Android SDK build tools + + - Latest (at time of writing): + - https://developer.android.com/studio?hl=i#downloads + - https://dl.google.com/android/repository/commandlinetools-linux-6609375_late... + - 89f308315e041c93a37a79e0627c47f21d5c5edbe5e80ea8dc0aac8a649e0e92 + +Installation +------------ + +1) Requirements + +- for the signing: sudo apt-get install nitrokey-app opensc-pkcs11 opensc openjdk-8-jdk + - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536#no... + +`nitrokey-app` should automatically detect the nitrokey if it is connected +Debian Stretch provides version 0.6.3-1. + + $ nitrokey-app + +Expect: "Application started successfully." + + +Key Generation +-------------- + +1) Generate 4096-bit RSA key pair + + $ openssl genrsa -out secretkey.pem -aes128 -rand /dev/urandom 4096 + +2) Create CSR + + $ openssl req -new -key secretkey.pem -out request.pem -subj "/CN=Tor Browser/O=The Tor Project/L=Seattle/ST=WA/C=US" + +3) Generate certificate (Google Play requires minimum expiratation date of 22 October 2033 + # If you plan to publish your apps on Google Play, the key you use to sign + # your app must have a validity period ending after 22 October 2033. Google + # Play enforces this requirement to ensure that users can seamlessly + # upgrade apps when new versions are available. + # https://developer.android.com/studio/publish/app-signing#considerations + + $ openssl x509 -req -days 5475 -in request.pem -signkey secretkey.pem -out certificate.pem -extfile openssl.cnf -extensions usr_cert + +4) Export secret key and certificate in PKCS12 + + $ openssl pkcs12 -export -out secret_and_certificate.p12 -in certificate.pem -inkey secretkey.pem -aes128 + +5) Extract RSA public key + + $ openssl rsa -in secretkey.pem -pubout -out publickey.pem + +Install private signing key on Nitrokey +--------------------------------------- + +- pkcs15-init --delete-objects privkey,pubkey,chain \ + --id 3 --store-private-key secret_and_certificate.p12 \ + --format pkcs12 --auth-id 3 --verify-pin
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/commit/2b9...