[tbb-bugs] #26536 [Applications/Tor Browser]: Create APK signing keys

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Aug 1 15:50:44 UTC 2018 

#26536: Create APK signing keys
--------------------------------------+-----------------------------------
 Reporter:  sysrqb                    |          Owner:  tbb-team
     Type:  task                      |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-mobile                |  Actual Points:
Parent ID:  #26531                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by sysrqb):

 Replying to [comment:2 gk]:
 > What's the story in case the key gets compromised/lost and needs to get
 replaced?

 Total sadness.

 >How is that handled? (I am in particular interested in the impact for
 updates)

 Basically, we would generate a new key, and existing users would not be
 able to install the next update because the signing key would be
 different. As a result, we would have two options. 1) release a new
 version of the app signed with the new key, but first an existing user
 would need to uninstall the old version of the app before they can install
 the new version. 2) release a new version of the app using a different
 name (org.torproject.torbrowser2, or something like that). If we use a
 different name, then the user can have both versions installed at the same
 time and they can manually copy any bookmarks from one app to the other.

 We might want to create a plan for how we inform users about this
 situation and what they should do.

 {{{
 If you lose access to your app signing key or your key is compromised,
 Google cannot retrieve the app signing key for you, and you will not
 be able to release new versions of your app to users as updates to the
 original app.
 }}}
 https://developer.android.com/studio/publish/app-signing#self-manage

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26536#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list