[guardian-dev] security issues of publishing private package signing key
dr at jones.dk
Tue Jan 14 19:13:18 EST 2014
Quoting Jonas Smedegaard (2014-01-14 23:51:05)
> Does anyone here know what are the security implications of compiling
> Android using the demo keypair shipped with it - effectively releasing
> APKs signed with a key that has its private key "leaked"?
After discussion at #guardianproject on IRC, I was recommended to reveal
It is Replicant that uses the demo key shipped with the source.
So it is not about compiling+signing single Android Apps, (thanks
anyway, Chris) but compiling+signing the core system. It came to my
attention today that Replicant uses the demo key, and the developer
I discussed it with treated it as no big deal - leading me to ask
On IRC "pd0x" told me that CyanogenMod used to do similar, and passwed
me this news article covering how it has gone wrong in the past
(including some interesting comments): https://lwn.net/Articles/448134/
Thanks for helping out - I will pass this info to Replicant developers
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 966 bytes
More information about the Guardian-dev