Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
203 views
in Technique[技术] by (71.8m points)

java - How to sign an application package (APK) using OpenPGP (Yubikey)?

I want to sign APK files with a OpenPGP key stored within the OpenPGP applet of my Yubikey.

I am aware, that there is a solution for APK signing using Yubikey's PIV applet. The PIV applet, however, can only handle RSA keys up to 2048 bits in key length.

The BSI TR-02102-1 Cryptographic Mechanisms Technical Guidelines (translated english version) states that from the year 2023 on (or for the usage in 2023 and later), only RSA keys with a key length greater or equal to 3000 bits are allowed. The first available standard key length would be 3072 bits. I have to be compliant to the BSI TR-02102.

This sums up into the requirement, that I have to use 3072 bits for the key length and RSA as the algorithm, and I cannot use the PIV APK singing approach.

Is there a way to use the OpenPGP applet of Yubikey 4 to sign APK files using the standard procedure, or using a custom procedure?

Note: The private key is generated on the Yubikey and is not exportable. This is due to the design of the Yubikey and by my minimum security requirements. So exportation and conversation is not a possible solution.

question from:https://stackoverflow.com/questions/50874282/how-to-sign-an-application-package-apk-using-openpgp-yubikey

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Use an USB token or a SmartCard which supports RSA 3072 4096 for personal identity verification? Not even the Yubikey 5 does support that for PIV / FIPS 201-2 (which is a SmartCard emulation). I've searched for a while, but it seems there barely is any hardware which supports it yet (in case it's even applicable); alternatives I could find were RSA SecurID, Nitrokey Pro 2 and Gemalto IDBridge K50.

With APK signing v2 or v3, the strength of the upload key might not even matter that much ... it says RSA 1024, RSA 2048, RSA 4096, RSA 8192, RSA 16384 are being supported, but it says nowhere which strength the actual release key would have, which would be the rather interesting part of it. The V3SchemeSigner hints for PKCS1 V1.5 encoding format; but the only way to find out would be to check the public key of a package from the Play Store by running ssh-keygen -lf ./rsa_key.pub (which shows the fingerprint of the public key file, which also displays the strength of the key).

security.stackexchange.com might provide further clues.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...