[guardian-dev] using a g10 smartcard for our APK signing key
coderman
coderman at gmail.com
Tue Nov 12 20:05:14 EST 2013
On Tue, Nov 12, 2013 at 10:25 AM, Hans-Christoph Steiner
<hans at guardianproject.info> wrote:
>
> I was thinking that we should use one of these OpenPGP smartcards for the
> signing key we use for signing our official APK releases. They are supposed
> to work for X.509 keys as well. Anyone have an experience using jarsigner and
> keytool, or Android even, with these smartcards?
i have used various HSMs with keytool and Java KeyStores. the critical bits are:
# explicitly define store type, if needed
-storetype PKCS11
# passing the PKCS#11 provider as the type. most hardware security
modules support this syntax.
-providerClass sun.security.pkcs11.SunPKCS11
# custom PKCS#11 config. this is specific to provider, allows you to
access slots
-providerArg /path/to/my/pkcs11.cfg
# use debug mode to re-scan slots for easy usability (TODO: explain)
-J-Djava.security.debug=sunpkcs11
# ... alternatively, be sure to always set "slot=-1" unSET slot number
in config to force scan.
i have not used hardware key systems via non-PKCS#11 interfaces; they
do exist as well...
best regards,
More information about the Guardian-dev
mailing list