[guardian-dev] Improving the APK Signing Procedure

Hans-Christoph Steiner hans at guardianproject.info
Tue Apr 1 13:58:16 EDT 2014 

Thanks, hope you find it useful :)

APKs with ECC signatures will not install on Android older than 4.3, so
unfortunately, its not really relevant yet.

.hc

On 04/01/2014 01:44 PM, ShootAKite at riseup.net wrote:
> Great Documentation Hans! 
> A
>  Maybe include a signing procedure to support the ecparam encryption
> cipher suite starting with Kit Kat.  'openssl ecparam -out secretkey.pem
> -name sect283k1 -rand /dev/random'
> On 03/28/2014 03:58 PM, Hans-Christoph Steiner wrote:
>> Ok, the blog post is up, this is the first HSM I got working with the whole
>> procedure of generating a key using openssl then ultimately signing an APK
>> using the HSM:
>>
>> https://guardianproject.info/2014/03/28/security-in-a-thumb-drive-the-promise-and-pain-of-hardware-security-modules-take-one/
>>
>> .hc
>>
>> On 03/28/2014 02:06 PM, Hans-Christoph Steiner wrote:
>>> I've been working on developing a procedure for signing Android APKs (and Jars
>>> for that matter) based on modern best practices and the use of a Hardware
>>> Security Module (HSM).  I think I've nailed down the key generation procedure,
>>> so I'd like to run it by everyone here for comments, suggestions, flames, etc.
>>>  Also, there is a blog post in the works that is a HOWTO for putting this key
>>> onto a HSM.
>>>
>>> https://dev.guardianproject.info/projects/bazaar/wiki/Improving_the_APK_Signing_Procedure
>>>
>>> Here's the key excerpt:
>>>
>>> When it comes to generating, openssl has a better security track record than
>>> Java. Also, using openssl with Java is a less common combination so that
>>> exploits that might work with Java/keytool/jarsigner might not work with a key
>>> generated with openssl then imported using keytool. The downside is that there
>>> might also be weaknesses exposed by this trick, but that seems less likely
>>> than Java/keytool having problems. Additionally, I recommend generating your
>>> key using /dev/random because this is a long-lived key and therefore more
>>> sensitive. This does make generating the key take a lot longer.
>>>
>>> openssl genrsa -out secretkey.pem -aes128 -rand /dev/random 4096
>>> openssl req -new -key secretkey.pem -out request.pem
>>> openssl x509 -req -days 9999 -in request.pem -signkey secretkey.pem \
>>>     -out certificate.pem
>>> openssl pkcs12 -export -out certificate.p12 -in certificate.pem \
>>>     -inkey secretkey.pem
>>>
>>> keytool -importkeystore \
>>>     -srckeystore certificate.p12 -srcstoretype PKCS12 \
>>>     -destkeystore certificate.jkr -deststoretype JKS
>>>
>>> You can follow the progress of all this work in our git repo:
>>> https://github.com/guardianproject/smartcard-apk-signing
>>>
>>> .hc
>>>
>>>
>>
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/shootakite%40riseup.net
>>
>> You are subscribed as: shootakite at riseup.net
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

More information about the Guardian-dev mailing list