[guardian-dev] APK signing keys are vulnerable WAS: pgp, nsa, rsa
Daniel McCarney
daniel at binaryparadox.net
Thu Sep 26 10:06:53 EDT 2013
I followed up off-list with better suggestions. You're right, SHA256withRSA
won't work for versions of Android <4.3:
http://code.google.com/p/android/issues/detail?id=38321
It's true that both RSA and DSA are supported (using SHA1withRSA or
SHA1withDSA). ECDSA and hash algorithms other than SHA1 only worked after the
patches linked to in the above issue were merged in 4.3
- Daniel
On 26/09, Michael Rogers wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 25/09/13 21:19, Hans-Christoph Steiner wrote:
> >
> > Also, we should document how to generate a good signing key. Pd0x
> > just recommended this in #guardianproject:
> >
> > keytool -genkey -v -keystore test.keystore -alias testkey -keyalg
> > RSA -keysize 8192 -sigalg SHA256withRSA -dname
> > "cn=Test,ou=Test,c=CA" -validity 10000'
>
> Will -sigalg SHA256withRSA work on all versions of Android? The docs
> say "Use the value SHA1withRSA". (On the other hand, elsewhere on the
> same page it says "Both DSA and RSA are supported" when generating
> keys, which seems inconsistent.)
>
> https://developer.android.com/tools/publishing/app-signing.html#signapp
>
> Cheers,
> Michael
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEcBAEBAgAGBQJSRDcKAAoJEBEET9GfxSfMwVQIALNOcqx35EWJRm0B7btSXZtX
> zLx8qV0GBY6MlYR57+cfQRAeR2yrkYh/7luZ35t5945IO8ejSABDx3JMjl28lJ00
> ryr87PrqTSWscXLRSyI/dBkBv1PnhZqKuPPX1W8F4Ho0TMaR+45l8XEib+sqZ+Kf
> BLlM0JQxkJ3XX+yeGCSHtVlpmSeVLfaOdXelTDHxkiePABObTYOQN9q+X+zqsONH
> apl9S4aTrJ3rcM3uom7TinlDe1d0Y4xvh/5KdAdxbDkg0nlseMPhcMrV1Cq4JgPJ
> Lwmy/JpgaFYZCRjHiP09493Ii9EIyPt72JC/XQSAJlEImb37pMJpRWzLnhE3wPE=
> =UTxc
> -----END PGP SIGNATURE-----
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/daniel%40binaryparadox.net
>
> You are subscribed as: daniel at binaryparadox.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130926/ad855718/attachment.pgp>
More information about the Guardian-dev
mailing list