[tbb-bugs] #28144 [Applications/Tor Browser]: Update projects/tor-browser for Android

Wed Nov 7 20:33:12 UTC 2018

#28144: Update projects/tor-browser for Android
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_revision
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-rbm, tbb-mobile,                 |  Actual Points:
  TorBrowserTeam201811, TBA-a2                   |
Parent ID:  #26693                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:17 sisbell]:
 > Replying to [comment:16 sysrqb]:
 >
 > > Replying to [comment:15 gk]:
 > >
 > >
 > > > I am not so sure, though, that not signing it is not a problem. How
 are we testing our final result on Android devices without *any* signing?
 (We don't have that problem on desktop platforms as signing requirements
 can get disabled if they are existing at all)
 > > >
 > > >
 > >
 > > Ah. Good point. The unsigned-unaligned apk should be (as the name
 implies) not signed. But when building Fennec with Mozilla's build system,
 they produce an additional apk that is signed with a
 [https://developer.android.com/studio/publish/app-signing#debug-mode debug
 signing key]. It looks like that happens in [https://gitweb.torproject.org
 /tor-browser.git/tree/config/android-common.mk?h=tor-
 browser-60.3.0esr-8.5-1#n11 config/android-common.mk], calling
 [https://gitweb.torproject.org/tor-
 browser.git/tree/mobile/android/debug_sign_tool.py?h=tor-
 browser-60.3.0esr-8.5-1#n11 mobile/android/debug_sign_tool.py]. I think we
 can use this, too.
 >
 > We have different types of signing under consideration:
 >
 >  * v1: Android 6 and earlier jarsigning
 >  * v2: with signing block (Android 7) :
 https://source.android.com/security/apksigning/v2
 >  * v3: with key rotation (Android 9):
 https://source.android.com/security/apksigning/v3
 >
 > It looks like mozilla is using v1 for debug, this is the only case we
 need to consider for the debug build. For production level signing, we
 should consider looking into v3 (perhaps mozilla is already using v3
 signing?)

 Yes, but for the outcome in our tor-browser-build whatever Mozilla is
 doing is enough (e.g. v1 if we get that in our current firefox build).
 It's just for testing on devices that our code does what it should (and
 only that :) ). The real signing for release is done later, outside of our
 tor-browser-build environment.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28144#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online