Feature: Provide signed releases of OMNT #9
Comments
|
Thanks for your feedback. The release apks are (or at leas should be, i will check that again) signed with the key used in the example in the documentation. regarding adding the fingerprint per default to sysmosims we might want to establish a process where the key material for signing is also in the hands of sysmocom. On the one hand this way you can sign also other apps and make sure the key is not missused. We could than either only release those or have an additional "-sysmocom-signed" apk. |
Ah, thanks for the explanation. It wasn't immediately obvious at least to me.
That's a nice idea; in fact for the sysmoEUICC1 we already put a sysmocom specific signer key on the ARA-M in the ISD-R. However, we currently also include the digest of the keys used to sign CoIMS, which is not even FOSS.
Well, yes and no. For an APK distributed outside of the play store, yes. For the play store, as you certainly know, you actually upload the private key to google and they sign it "on your behalf" so it's completely backdoored and open to any kind of misuse.
If the goal is really to have sysmocom as gatekeeper/trust anchor, then sysmocom would have to do the signing in some sysmocom CI. But given that we currently don't have any CI builder for android packages (we don't do android development), I'm not sure what a time sink it is setting all this up. |
we have now finished porting our CI pipline from gitlab to github actions. There fore the the key we use is now in the github storage aka Microsofts Hands. We could add a second key which we then share with sysmocom or we could give you access / import your key. It seems we have no way to keep the keys private (as in not accessible to github staff) without breaking the CI. On the other hand users concert by this can always build and sign them self.
Thats sadly true. On the other hand if the play store is installed google does not relay need to backdoor apps ... the backdoor is build in already.
My main goal would be to make it as easy as possible for users to get their setup working. So having a key preinstalled in sysmocom UICCs and eUICCS would be cool. Its your / sysmocoms decision how we proceed (or if). I would love to have a "get your eUICC with preinstalled key" here button at some point :-) |
|
Moving closer to 38c3 i was wondering if want to do some decisions here. Currently we still sign the apk with our own key which is on all the simcards made for the last camp. Did you @laf0rge have come to a conclusion if we should add a second release apk signed with an osmocom key / or a key we share with osomocom? |
We (@sysmocom) are currently setting up CI for building android projects (such as the new Android remote APDU proxy that @pmaier-sysmo has developed), and as part of that will also be publishing signed releases using a sysmocom release key; the one whose certificate is already on the sysmoISIM + sysmoEUICC card products. The signing of those APKs will intentionally not be done automatically as that would require having the singer key 24/7 available somewhere on an automated system. Instead our CI will build unsigned APKs, and we can then manually sign + publish such builds. @osmith42 is working on the above. Once the above is done, we are also exploring the idea of publishing our own repository for F-Droid, containing [at leat initially]
|
IMHO, it would be useful if you'd be releasing official builds with a known/documented signer key.
This way, for example, sysmocom could pre-install a related ARA rule to the ARA-M applet on future manufacturing batches of sysmoEUICC1 or sysmoISIM products.
Even without such "factory pre installation of an access rule", for most users it would be easier to just add the access rule (copy+pasted from the documentation here) rather than for everyone to self-sign their apks.
Yes, I understand, actual developers who do [want to] modify OMNT will of course need to sign their custom builds. But I would exepct a large number of poeple just want to use it.
The text was updated successfully, but these errors were encountered: