Opened 5 months ago

Last modified 6 weeks ago

#26536 needs_information task

Create APK signing keys

Reported by: sysrqb Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile, TBA-a3
Cc: igt0, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This is the ticket so we can decide how we create it, where we store it, what mechanisms can we use for securing it.

Child Tickets

Change History (7)

comment:1 Changed 4 months ago by sysrqb

Status: newneeds_information

It appears we can create and store the key offline.

I was hoping we could create an "identity" key and a "signing" key for Android, but it seems like this won't work. Specifically, newer versions of Android support signing an app where the public key for verifying the signature is stored in two places. The first place is at the end of the signing block. This key has only one purpose - for verifying the signing block signatures are valid. The second place is the public key is stored within the signing block but here we may include a certificate chain. I was hoping we could create a long-term identity key and then a short-term signing keys, similar to PGP primary key and subkeys. However, from my code diving, Android does not verify the certificate chain embedded in the app. Android only verifies the first (leaf) certificate in the embedded certificate chain contains the same public key as the public key provided at the end of the signing block used for verifying the signature.

We should generate the key offline - Hans published a nice script for this (although its a little old) https://github.com/guardianproject/smartcard-apk-signing/blob/master/openssl-gen/gen.sh

We can use a Yubikey or Nitrokey for storing the key. I'll feel more comfortable if we have more than one copy of the key.

Newer versions of Android support something called (upgrade) keysets for verifying the apps authenticity. I'm not sure how we can use it yet. I think it allows for adding more signatures using more keys, but I'm not sure if there's a way we can use it for rotating keys.

With all this being said, we can likely generate our first APK signing key using a similar method as the Tor Browser PGP signing key - using an offline laptop booted with TAILS, etc.

comment:2 Changed 4 months ago by gk

What's the story in case the key gets compromised/lost and needs to get replaced? How is that handled? (I am in particular interested in the impact for updates)

Last edited 4 months ago by gk (previous) (diff)

comment:3 in reply to:  2 Changed 4 months ago by sysrqb

Replying to gk:

What's the story in case the key gets compromised/lost and needs to get replaced?


Total sadness.

How is that handled? (I am in particular interested in the impact for updates)

Basically, we would generate a new key, and existing users would not be able to install the next update because the signing key would be different. As a result, we would have two options. 1) release a new version of the app signed with the new key, but first an existing user would need to uninstall the old version of the app before they can install the new version. 2) release a new version of the app using a different name (org.torproject.torbrowser2, or something like that). If we use a different name, then the user can have both versions installed at the same time and they can manually copy any bookmarks from one app to the other.

We might want to create a plan for how we inform users about this situation and what they should do.

If you lose access to your app signing key or your key is compromised,
Google cannot retrieve the app signing key for you, and you will not
be able to release new versions of your app to users as updates to the
original app.

https://developer.android.com/studio/publish/app-signing#self-manage

comment:4 Changed 3 months ago by sysrqb

Woah! "Android 9 supports APK key rotation, which gives apps the ability to change their signing key as part of an APK update."
https://source.android.com/security/apksigning/v3

This is only with the newest version of Android. It includes support for a new signature scheme.

comment:5 Changed 3 months ago by sysrqb

I created a short-term keypair for only the initial alpha releases. We will create a new, long-term key before the first stable release. I have this key offline.

$ keytool -genkey -v -keystore tba_alpha.p12 -storetype pkcs12 -keyalg RSA -keysize 3072 -validity 10000 -alias tba_alpha

Key information

$ keytool -list -v -keystore tba_alpha.p12 -alias tba_alpha -storetype pkcs12
Enter keystore password:  
Alias name: tba_alpha
Creation date: Aug 22, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Tor Browser, OU=Applications Team, O=The Tor Project, L=Seattle, ST=WA, C=US
Issuer: CN=Tor Browser, OU=Applications Team, O=The Tor Project, L=Seattle, ST=WA, C=US
Serial number: 5f29a0f3
Valid from: Wed Aug 22 17:17:47 UTC 2018 until: Sun Jan 07 17:17:47 UTC 2046
Certificate fingerprints:
	 MD5:  6B:27:D0:7B:3B:5C:FA:E9:60:45:15:24:08:A0:72:AE
	 SHA1: D8:D5:4C:45:85:F3:BB:2C:80:D3:6C:85:A0:D4:1B:6D:C9:6A:33:80
	 SHA256: 15:F7:60:B4:1A:CB:E4:78:3E:66:71:02:C9:F6:71:19:BE:2A:F6:2F:AB:07:76:3F:9D:57:F0:1E:5E:10:74:E1
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E6 1D 34 04 98 A0 7A 83   42 2C 11 2A 8C 9D D3 D6  ..4...z.B,.*....
0010: E7 9E 73 66                                        ..sf
]
]

Public Key Certificate:

$ keytool -exportcert -v -keystore tba_alpha.p12 -alias tba_alpha -storetype pkcs12 -rfc
Enter keystore password:  
-----BEGIN CERTIFICATE-----
MIIEjzCCAvegAwIBAgIEXymg8zANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJV
UzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNVBAoTD1RoZSBU
b3IgUHJvamVjdDEaMBgGA1UECxMRQXBwbGljYXRpb25zIFRlYW0xFDASBgNVBAMT
C1RvciBCcm93c2VyMB4XDTE4MDgyMjE3MTc0N1oXDTQ2MDEwNzE3MTc0N1oweDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRgwFgYD
VQQKEw9UaGUgVG9yIFByb2plY3QxGjAYBgNVBAsTEUFwcGxpY2F0aW9ucyBUZWFt
MRQwEgYDVQQDEwtUb3IgQnJvd3NlcjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
AYoCggGBAJRv7+VdgiT268+L4q3MeuPKbl9mfGu72Js6wcFqlAyMRXTokvo2ythN
+n8zMlpc2hHJ01dR88RgaqlUseF5LvuT6AaxI5zLMhaZbww0Np+XS/c9ZfxZ/0YZ
WUIyJ5LUEeG9z1bBG0KKhoxyX9ab1IQkGYiRPRgiTaXlkSA+i11XYVDtigqX8C+u
jl4UUr3yBT9AX1vJ1lC8gRLgwIcz8/9orpwaoUm/7VmEgx9N9Ys8ubXUlnT5Em4k
wwbrnZuEO7OOwK3ZBSeOt9iFH/i2ASflu+cJ7JLFnd8ql9BtClXKP83u97ZD122N
IaOiXf2YKH4LsWSZyZ6sk8N/cJO8mZ2i7QqWLoPfKqCz8xKoploItQ2NGiEVM5GR
xsshW1iJ+d024OWupD6c2Mt8WMhbHHeZ3xBDBUqtvTijMSQztGh25ksTdO9pcJxQ
kkUeOub4QL240MC0TdvPAP6wZFAo7do/TeKcpwCYmIyj6igiu/kLUfsDnZZtdw2m
NCa1XVhM1wIDAQABoyEwHzAdBgNVHQ4EFgQU5h00BJigeoNCLBEqjJ3T1ueec2Yw
DQYJKoZIhvcNAQELBQADggGBAHZkWaei+KqmWxqnbbrJcIOzZuy8zi+RSVKBQS/C
ZPnqkIShT0W2bSVkMR4brvU5zDtRfpgfguFhRwnct/9GGdRlMJmEMTcm/4cNgZiz
PNO2Y80HV3EsLTNDjFtMX8DBvltk0oZMSlllqGhb7tqZwCfeKBSPz+aH4XgnvpTv
kWg/ux0BG+fkYgts3dYcQoaWZ6nEQYoPpJyJ+zgPrGtGITBHUrD2WCr6muarEVIR
7JZfwjy1knFSblA/cgDzoRg13L13ntsCF98lGhiBZo8UGvmNFubSolwzmyf7US3z
ZvypsKrXJXz0rU1pbFC01Dka626UVkzZoMf53m9KjcIpP92U3l2GZhXsqxJJ26tu
8x98Jwi5l22upmOsNttAeYtUMI1ODdxL/uVEIVfOw48lyYQgOsdsIiKDi3NDbjto
zMVZOPvcSx2ESrq+GaoKZjkXGAg7beRdLWvsmGGoejuft+N2yqRYaFQ7sjCVQlq2
D9GDJUVvnPEj25zrwtgRmPgLZg==
-----END CERTIFICATE-----

I debated whether we should create the key using RSA or ECDSA. I decided on using RSA, but we can discuss this later, before creating the long-term key.

comment:6 Changed 2 months ago by sysrqb

Keywords: TBA-a2 added
Parent ID: #26531

Moving to second-alpha TBA keyword.

comment:7 Changed 6 weeks ago by gk

Keywords: TBA-a3 added; TBA-a2 removed

Moving this to TBA-a3

Note: See TracTickets for help on using tickets.