[guardian-dev] Improving the APK Signing Procedure

Hans-Christoph Steiner hans at guardianproject.info
Fri Mar 28 16:58:46 EDT 2014

Ok, the blog post is up, this is the first HSM I got working with the whole
procedure of generating a key using openssl then ultimately signing an APK
using the HSM:



On 03/28/2014 02:06 PM, Hans-Christoph Steiner wrote:
> I've been working on developing a procedure for signing Android APKs (and Jars
> for that matter) based on modern best practices and the use of a Hardware
> Security Module (HSM).  I think I've nailed down the key generation procedure,
> so I'd like to run it by everyone here for comments, suggestions, flames, etc.
>  Also, there is a blog post in the works that is a HOWTO for putting this key
> onto a HSM.
> https://dev.guardianproject.info/projects/bazaar/wiki/Improving_the_APK_Signing_Procedure
> Here's the key excerpt:
> When it comes to generating, openssl has a better security track record than
> Java. Also, using openssl with Java is a less common combination so that
> exploits that might work with Java/keytool/jarsigner might not work with a key
> generated with openssl then imported using keytool. The downside is that there
> might also be weaknesses exposed by this trick, but that seems less likely
> than Java/keytool having problems. Additionally, I recommend generating your
> key using /dev/random because this is a long-lived key and therefore more
> sensitive. This does make generating the key take a lot longer.
> openssl genrsa -out secretkey.pem -aes128 -rand /dev/random 4096
> openssl req -new -key secretkey.pem -out request.pem
> openssl x509 -req -days 9999 -in request.pem -signkey secretkey.pem \
>     -out certificate.pem
> openssl pkcs12 -export -out certificate.p12 -in certificate.pem \
>     -inkey secretkey.pem
> keytool -importkeystore \
>     -srckeystore certificate.p12 -srcstoretype PKCS12 \
>     -destkeystore certificate.jkr -deststoretype JKS
> You can follow the progress of all this work in our git repo:
> https://github.com/guardianproject/smartcard-apk-signing
> .hc

PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 969 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140328/c888624b/attachment.pgp>

More information about the Guardian-dev mailing list