[guardian-dev] using a g10 smartcard for our APK signing key

coderman coderman at gmail.com
Tue Nov 12 20:05:14 EST 2013

On Tue, Nov 12, 2013 at 10:25 AM, Hans-Christoph Steiner
<hans at guardianproject.info> wrote:
> I was thinking that we should use one of these OpenPGP smartcards for the
> signing key we use for signing our official APK releases.  They are supposed
> to work for X.509 keys as well.  Anyone have an experience using jarsigner and
> keytool, or Android even, with these smartcards?

i have used various HSMs with keytool and Java KeyStores. the critical bits are:

# explicitly define store type, if needed
-storetype PKCS11

# passing the PKCS#11 provider as the type. most hardware security
modules support this syntax.
-providerClass sun.security.pkcs11.SunPKCS11

# custom PKCS#11 config. this is specific to provider, allows you to
access slots
-providerArg /path/to/my/pkcs11.cfg

# use debug mode to re-scan slots for easy usability (TODO: explain)
# ... alternatively, be sure to always set "slot=-1" unSET slot number
in config to force scan.

i have not used hardware key systems via non-PKCS#11 interfaces; they
do exist as well...

best regards,

More information about the Guardian-dev mailing list