[guardian-dev] security issues of publishing private package signing key

Jonas Smedegaard dr at jones.dk
Tue Jan 14 19:13:18 EST 2014


Quoting Jonas Smedegaard (2014-01-14 23:51:05)
> Does anyone here know what are the security implications of compiling 
> Android using the demo keypair shipped with it - effectively releasing 
> APKs signed with a key that has its private key "leaked"?

After discussion at #guardianproject on IRC, I was recommended to reveal 
the details:

It is Replicant that uses the demo key shipped with the source.

So it is not about compiling+signing single Android Apps, (thanks 
anyway, Chris) but compiling+signing the core system.  It came to my 
attention today that Replicant uses the demo key, and the developer 
I discussed it with treated it as no big deal - leading me to ask 
here.

On IRC "pd0x" told me that CyanogenMod used to do similar, and passwed 
me this news article covering how it has gone wrong in the past 
(including some interesting comments): https://lwn.net/Articles/448134/

Thanks for helping out - I will pass this info to Replicant developers 
tomorrow.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140115/eba7b314/attachment.pgp>


More information about the Guardian-dev mailing list