[guardian-dev] using a g10 smartcard for our APK signing key

Natanael natanael.l at gmail.com
Tue Nov 12 16:42:04 EST 2013

Yubikeys also can be programmed to generate PGP signatures in OpenPGP
smartcard mode. Haven't tried that, but I've read somebody else are doing
it already. Yubico (the company making them) seems to be pretty responsive,
you might want to send them some questions on their security. I haven't
heard of anybody hacking one yet. Those devices are somewhat more expensive
than regular smartcards, but they seem to be more flexible.

- Sent from my phone
Den 12 nov 2013 19:26 skrev "Hans-Christoph Steiner" <
hans at guardianproject.info>:

> I was thinking that we should use one of these OpenPGP smartcards for the
> signing key we use for signing our official APK releases.  They are
> supposed
> to work for X.509 keys as well.  Anyone have an experience using jarsigner
> and
> keytool, or Android even, with these smartcards?
> They also promise that it is not possible to read the secret key off of
> them.
>  I wonder if that promise is strong enough that we could plug one of these
> into our nighlty build server so that our nightly builds would share the
> same
> key as the official releases.
> .hc
> --
> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
> _______________________________________________
> Guardian-dev mailing list
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/natanael.l%40gmail.com
> You are subscribed as: natanael.l at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20131112/b202a110/attachment.html>

More information about the Guardian-dev mailing list