boklm pushed to branch main at The Tor Project / Applications / tor-browser-spec

Commits:

2 changed files:

Changes:

  • processes/APKSigning
    1
    +Signing Tor Browser for Android on a Linux machine
    
    2
    +==================================================
    
    3
    +
    
    4
    +Signing
    
    5
    +-------
    
    6
    +
    
    7
    +1) Ensure pkcs11 configuration file is available
    
    8
    +
    
    9
    +# Create a file containing the Provider arguments
    
    10
    +- cat > /tmp/pkcs11_java.cfg << EOF
    
    11
    +name = OpenSC-PKCS11
    
    12
    +description = SunPKCS11 via OpenSC
    
    13
    +library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
    
    14
    +slotListIndex = 0
    
    15
    +EOF
    
    16
    +
    
    17
    +2) Test the configuration file with `keytool` and confirm it can access the smartcard
    
    18
    +- keytool -providerClass sun.security.pkcs11.SunPKCS11     \
    
    19
    +          -providerArg /tmp/pkcs11_java.cfg -keystore NONE \
    
    20
    +          -storetype PKCS11 -list
    
    21
    +
    
    22
    +
    
    23
    +3) Signing the exectuable(s):
    
    24
    +
    
    25
    +- path/to/apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11  \
    
    26
    +                         --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 \
    
    27
    +                         --debuggable-apk-permitted=false                          \
    
    28
    +                         --out tor-browser-${VERSION}-android-${arch}-multi-qa.apk \
    
    29
    +                         tor-browser-${VERSION}-android-${arch}-multi-unsigned.apk

  • processes/KeyGeneration
    ... ... @@ -100,3 +100,71 @@ certtool r CertificateSigningRequest.certSigningRequest
    100 100
     
    
    101 101
     security add-certificates ~/developerID_application.cer
    
    102 102
     security find-identity
    
    103
    +
    
    104
    +
    
    105
    +APK Signing Key
    
    106
    +===============
    
    107
    +
    
    108
    +These instructions are for a Nitrokey, as described in
    
    109
    +https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536
    
    110
    +
    
    111
    +Software needed:
    
    112
    +----------------
    
    113
    +
    
    114
    +1) Android SDK build tools
    
    115
    +
    
    116
    + - Latest (at time of writing):
    
    117
    +   - https://developer.android.com/studio?hl=i#downloads
    
    118
    +   - https://dl.google.com/android/repository/commandlinetools-linux-6609375_latest.zip
    
    119
    +   - 89f308315e041c93a37a79e0627c47f21d5c5edbe5e80ea8dc0aac8a649e0e92
    
    120
    +
    
    121
    +Installation
    
    122
    +------------
    
    123
    +
    
    124
    +1) Requirements
    
    125
    +
    
    126
    +- for the signing: sudo apt-get install nitrokey-app opensc-pkcs11 opensc openjdk-8-jdk
    
    127
    +  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536#note_2651175
    
    128
    +
    
    129
    +`nitrokey-app` should automatically detect the nitrokey if it is connected
    
    130
    +Debian Stretch provides version 0.6.3-1.
    
    131
    +
    
    132
    +  $ nitrokey-app
    
    133
    +
    
    134
    +Expect: "Application started successfully."
    
    135
    +
    
    136
    +
    
    137
    +Key Generation
    
    138
    +--------------
    
    139
    +
    
    140
    +1) Generate 4096-bit RSA key pair
    
    141
    +
    
    142
    +  $ openssl genrsa -out secretkey.pem -aes128 -rand /dev/urandom 4096
    
    143
    +
    
    144
    +2) Create CSR
    
    145
    +
    
    146
    +  $ openssl req -new -key secretkey.pem -out request.pem -subj "/CN=Tor Browser/O=The Tor Project/L=Seattle/ST=WA/C=US"
    
    147
    +
    
    148
    +3) Generate certificate (Google Play requires minimum expiratation date of 22 October 2033
    
    149
    +  # If you plan to publish your apps on Google Play, the key you use to sign
    
    150
    +  # your app must have a validity period ending after 22 October 2033. Google
    
    151
    +  # Play enforces this requirement to ensure that users can seamlessly
    
    152
    +  # upgrade apps when new versions are available.
    
    153
    +  # https://developer.android.com/studio/publish/app-signing#considerations
    
    154
    +
    
    155
    +  $ openssl x509 -req -days 5475 -in request.pem -signkey secretkey.pem -out certificate.pem -extfile openssl.cnf -extensions usr_cert
    
    156
    +
    
    157
    +4) Export secret key and certificate in PKCS12
    
    158
    +
    
    159
    +  $ openssl pkcs12 -export -out secret_and_certificate.p12 -in certificate.pem -inkey secretkey.pem -aes128
    
    160
    +
    
    161
    +5) Extract RSA public key
    
    162
    +
    
    163
    +  $ openssl rsa -in secretkey.pem -pubout -out publickey.pem
    
    164
    +
    
    165
    +Install private signing key on Nitrokey
    
    166
    +---------------------------------------
    
    167
    +
    
    168
    +- pkcs15-init --delete-objects privkey,pubkey,chain                 \
    
    169
    +              --id 3 --store-private-key secret_and_certificate.p12 \
    
    170
    +              --format pkcs12 --auth-id 3 --verify-pin