| ... | ... | @@ -100,3 +100,71 @@ certtool r CertificateSigningRequest.certSigningRequest | 
| 100 | 100 |  
 | 
| 101 | 101 |  security add-certificates ~/developerID_application.cer
 | 
| 102 | 102 |  security find-identity
 | 
|  | 103 | +
 | 
|  | 104 | +
 | 
|  | 105 | +APK Signing Key
 | 
|  | 106 | +===============
 | 
|  | 107 | +
 | 
|  | 108 | +These instructions are for a Nitrokey, as described in
 | 
|  | 109 | +https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536
 | 
|  | 110 | +
 | 
|  | 111 | +Software needed:
 | 
|  | 112 | +----------------
 | 
|  | 113 | +
 | 
|  | 114 | +1) Android SDK build tools
 | 
|  | 115 | +
 | 
|  | 116 | + - Latest (at time of writing):
 | 
|  | 117 | +   - https://developer.android.com/studio?hl=i#downloads
 | 
|  | 118 | +   - https://dl.google.com/android/repository/commandlinetools-linux-6609375_latest.zip
 | 
|  | 119 | +   - 89f308315e041c93a37a79e0627c47f21d5c5edbe5e80ea8dc0aac8a649e0e92
 | 
|  | 120 | +
 | 
|  | 121 | +Installation
 | 
|  | 122 | +------------
 | 
|  | 123 | +
 | 
|  | 124 | +1) Requirements
 | 
|  | 125 | +
 | 
|  | 126 | +- for the signing: sudo apt-get install nitrokey-app opensc-pkcs11 opensc openjdk-8-jdk
 | 
|  | 127 | +  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536#note_2651175
 | 
|  | 128 | +
 | 
|  | 129 | +`nitrokey-app` should automatically detect the nitrokey if it is connected
 | 
|  | 130 | +Debian Stretch provides version 0.6.3-1.
 | 
|  | 131 | +
 | 
|  | 132 | +  $ nitrokey-app
 | 
|  | 133 | +
 | 
|  | 134 | +Expect: "Application started successfully."
 | 
|  | 135 | +
 | 
|  | 136 | +
 | 
|  | 137 | +Key Generation
 | 
|  | 138 | +--------------
 | 
|  | 139 | +
 | 
|  | 140 | +1) Generate 4096-bit RSA key pair
 | 
|  | 141 | +
 | 
|  | 142 | +  $ openssl genrsa -out secretkey.pem -aes128 -rand /dev/urandom 4096
 | 
|  | 143 | +
 | 
|  | 144 | +2) Create CSR
 | 
|  | 145 | +
 | 
|  | 146 | +  $ openssl req -new -key secretkey.pem -out request.pem -subj "/CN=Tor Browser/O=The Tor Project/L=Seattle/ST=WA/C=US"
 | 
|  | 147 | +
 | 
|  | 148 | +3) Generate certificate (Google Play requires minimum expiratation date of 22 October 2033
 | 
|  | 149 | +  # If you plan to publish your apps on Google Play, the key you use to sign
 | 
|  | 150 | +  # your app must have a validity period ending after 22 October 2033. Google
 | 
|  | 151 | +  # Play enforces this requirement to ensure that users can seamlessly
 | 
|  | 152 | +  # upgrade apps when new versions are available.
 | 
|  | 153 | +  # https://developer.android.com/studio/publish/app-signing#considerations
 | 
|  | 154 | +
 | 
|  | 155 | +  $ openssl x509 -req -days 5475 -in request.pem -signkey secretkey.pem -out certificate.pem -extfile openssl.cnf -extensions usr_cert
 | 
|  | 156 | +
 | 
|  | 157 | +4) Export secret key and certificate in PKCS12
 | 
|  | 158 | +
 | 
|  | 159 | +  $ openssl pkcs12 -export -out secret_and_certificate.p12 -in certificate.pem -inkey secretkey.pem -aes128
 | 
|  | 160 | +
 | 
|  | 161 | +5) Extract RSA public key
 | 
|  | 162 | +
 | 
|  | 163 | +  $ openssl rsa -in secretkey.pem -pubout -out publickey.pem
 | 
|  | 164 | +
 | 
|  | 165 | +Install private signing key on Nitrokey
 | 
|  | 166 | +---------------------------------------
 | 
|  | 167 | +
 | 
|  | 168 | +- pkcs15-init --delete-objects privkey,pubkey,chain                 \
 | 
|  | 169 | +              --id 3 --store-private-key secret_and_certificate.p12 \
 | 
|  | 170 | +              --format pkcs12 --auth-id 3 --verify-pin |