Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to sign an application package (APK) using OpenPGP (Yubikey)?

Tags:

java

android

apk

code-signing

jar-signing

I want to sign APK files with a OpenPGP key stored within the OpenPGP applet of my Yubikey.

I am aware, that there is a solution for APK signing using Yubikey's PIV applet. The PIV applet, however, can only handle RSA keys up to 2048 bits in key length.

The BSI TR-02102-1 Cryptographic Mechanisms Technical Guidelines (translated english version) states that from the year 2023 on (or for the usage in 2023 and later), only RSA keys with a key length greater or equal to 3000 bits are allowed. The first available standard key length would be 3072 bits. I have to be compliant to the BSI TR-02102.

This sums up into the requirement, that I have to use 3072 bits for the key length and RSA as the algorithm, and I cannot use the PIV APK singing approach.

Is there a way to use the OpenPGP applet of Yubikey 4 to sign APK files using the standard procedure, or using a custom procedure?

Note: The private key is generated on the Yubikey and is not exportable. This is due to the design of the Yubikey and by my minimum security requirements. So exportation and conversation is not a possible solution.

like image 930
burnersk Avatar asked Jun 15 '18 11:06

burnersk

1 Answers

Use an USB token or a SmartCard which supports RSA 3072 4096 for personal identity verification? Not even the Yubikey 5 does support that for PIV / FIPS 201-2 (which is a SmartCard emulation). I've searched for a while, but it seems there barely is any hardware which supports it yet (in case it's even applicable); alternatives I could find were RSA SecurID, Nitrokey Pro 2 and Gemalto IDBridge K50.

With APK signing v2 or v3, the strength of the upload key might not even matter that much ... it says RSA 1024, RSA 2048, RSA 4096, RSA 8192, RSA 16384 are being supported, but it says nowhere which strength the actual release key would have, which would be the rather interesting part of it. The V3SchemeSigner hints for PKCS1 V1.5 encoding format; but the only way to find out would be to check the public key of a package from the Play Store by running ssh-keygen -lf ./rsa_key.pub (which shows the fingerprint of the public key file, which also displays the strength of the key).

security.stackexchange.com might provide further clues.

like image 150
Martin Zeitler Avatar answered Nov 19 '22 04:11

Martin Zeitler
Sign in to Comment

Related questions

Failed to resolve com.google.android.gms play-services-auth:11.4.0
Android: how to change the color of the datepicker divider?
Volley RequestQueue Timeout
android color between two colors, based on percentage?
How to have "&" i.e and symbol in Android TextView
How to deliver my Java application with a particular JRE?
Comparing a string with the empty string (Java)
Scroll up does not work with SwipeRefreshLayout in Listview
Specifying an order to junit 4 tests at the Method level (not class level)
Firebase Performance Plugin causing slow build time
How do I set Layout and Text size to DP inside program?
BitmapFactory.decodeResource returns a mutable Bitmap in Android 2.2 and an immutable Bitmap in Android 1.6
Create an ArrayList of unique values [duplicate]
How do implement a breadth first traversal?
Reverse each individual word of "Hello World" string with Java
Why was Cassandra written in Java? [closed]
Android Email EditText Validation [duplicate]
Android permission.INTERACT_ACROSS_USERS denial
Restlet, CLAP, Ajax, and chunk timeouts
How to reload printers in coldfusion without restarting service?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!