java - How to sign an application package (APK) using OpenPGP (Yubikey)?

Question

I want to sign APK files with a OpenPGP key stored within the OpenPGP applet of my Yubikey.

I am aware, that there is a solution for APK signing using Yubikey's PIV applet. The PIV applet, however, can only handle RSA keys up to 2048 bits in key length.

The BSI TR-02102-1 Cryptographic Mechanisms Technical Guidelines (translated english version) states that from the year 2023 on (or for the usage in 2023 and later), only RSA keys with a key length greater or equal to 3000 bits are allowed. The first available standard key length would be 3072 bits. I have to be compliant to the BSI TR-02102.

This sums up into the requirement, that I have to use 3072 bits for the key length and RSA as the algorithm, and I cannot use the PIV APK singing approach.

Is there a way to use the OpenPGP applet of Yubikey 4 to sign APK files using the standard procedure, or using a custom procedure?

Note: The private key is generated on the Yubikey and is not exportable. This is due to the design of the Yubikey and by my minimum security requirements. So exportation and conversation is not a possible solution.

question from:https://stackoverflow.com/questions/50874282/how-to-sign-an-application-package-apk-using-openpgp-yubikey

Answer 1

Use an USB token or a SmartCard which supports RSA 3072 4096 for personal identity verification? Not even the Yubikey 5 does support that for PIV / FIPS 201-2 (which is a SmartCard emulation). I've searched for a while, but it seems there barely is any hardware which supports it yet (in case it's even applicable); alternatives I could find were RSA SecurID, Nitrokey Pro 2 and Gemalto IDBridge K50.

With APK signing v2 or v3, the strength of the upload key might not even matter that much ... it says RSA 1024, RSA 2048, RSA 4096, RSA 8192, RSA 16384 are being supported, but it says nowhere which strength the actual release key would have, which would be the rather interesting part of it. The V3SchemeSigner hints for PKCS1 V1.5 encoding format; but the only way to find out would be to check the public key of a package from the Play Store by running ssh-keygen -lf ./rsa_key.pub (which shows the fingerprint of the public key file, which also displays the strength of the key).

security.stackexchange.com might provide further clues.