[guardian-dev] using a g10 smartcard for our APK signing key

Tamer Bilir tamer at mstsc.nl
Fri Nov 15 04:43:27 EST 2013 

Can this be usefull for Chatsecure  to protect you keys: http://code.google.com/p/seek-for-android/

Its a Secure Encrypted MicroSD from G&D where you can program you app to.    It would be cool to do a liveboot OS from such a card with keys protected also on the SD. 

Chatsecure Enterprise edition 

-----Oorspronkelijk bericht-----
Van: guardian-dev-bounces+mp=mstsc.nl at lists.mayfirst.org [mailto:guardian-dev-bounces+mp=mstsc.nl at lists.mayfirst.org] Namens Abel Luck
Verzonden: donderdag 14 november 2013 12:59
Aan: guardian-dev at lists.mayfirst.org
Onderwerp: Re: [guardian-dev] using a g10 smartcard for our APK signing key

Hans-Christoph Steiner:
> 
> I was thinking that we should use one of these OpenPGP smartcards for 
> the signing key we use for signing our official APK releases.  They 
> are supposed to work for X.509 keys as well.  Anyone have an 
> experience using jarsigner and keytool, or Android even, with these smartcards?
> 
> They also promise that it is not possible to read the secret key off of them.
>  I wonder if that promise is strong enough that we could plug one of 
> these into our nighlty build server so that our nightly builds would 
> share the same key as the official releases.
> 
> .hc
> 

Interesting idea. Though even if it was impossible to read the secret key off, for the system you proposed to work, the card must remain plugged in unattended with no PIN protecting the key.

If the box was compromised or the smartcard physically stolen/accessed, the attacker could sign anything.

I guess it depends on what we asses our physical security threats to be and whether we we are worried about the automated build server being compromised and renegade builds signed.

~abel
_______________________________________________
Guardian-dev mailing list

Post: Guardian-dev at lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev

To Unsubscribe
        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/mp%40mstsc.nl

You are subscribed as: mp at mstsc.nl

More information about the Guardian-dev mailing list