[tbb-bugs] #26536 [Applications/Tor Browser]: Create APK signing keys

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 9 16:22:10 UTC 2019 

#26536: Create APK signing keys
-------------------------------------------------+-------------------------
 Reporter:  sysrqb                               |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  needs_information
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-mobile, TBA-a3, tbb-8.5-must,    |  Actual Points:
  TorBrowserTeam201905                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor8
-------------------------------------------------+-------------------------

Comment (by sysrqb):

 Replying to [comment:16 eighthave]:
 > Wow, you have really dug into the depths here!  Great to see, but sucks
 that this is still so hard.  Maybe the short term answer is using
 _jarsigner_?  That will introduce an annoying reproducibility issue since
 _jarsigner_ includes the full Java major/minor/bugfix/patch version in the
 META-INF/MANIFEST.MF in the APK.
 >

 Yeah, I was hoping we could avoid using jarsigner (in particular so we can
 take advantage of the newer APK signature schemes.

 > As for fixing apksigner, I'm up for getting fixing into Debian, I
 maintain that package.  It should be possible to get fixes into both
 stretch and buster, if they are not too big.  I think that would also be
 possible for opensc-pkcs11, but i'm not the maintainer of that package, so
 harder to promise anything.

 The problem here is on Stretch the bug I was hitting is in opensc-pkcs11 -
 not apksigner. On Fedora 29, the bug is in apksigner, so I opened a ticket
 for that.

 https://issuetracker.google.com/issues/132333137

 >
 > Maybe there is already a fix upstream, did you look at
 https://android.googlesource.com/platform/tools/apksig/ ?

 Yeah, sadly it isn't fixed. I didn't see any tickets closely related to it
 either - other than one ticket from 2017 but it wasn't helpful.

 Thanks for the comments, though - it's all good to know.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26536#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list