Re: [android-developers] A Cautionary Tale: Backup your Keystore
On Tue, Mar 8, 2011 at 9:45 AM, hoyski hoy...@gmail.com wrote: I may even print out a copy of a hexdump as the ultimate hardcopy backup. U...there's a fairly recent invention called fire that might not make a paper backup so ultimate. :-) More seriously, you definitely want to back up your production keystore. However, be sure not to back it up in a way that it becomes public, as that would mean anyone else could sign apps with that key. If they can hack your Google account, they can then turn around and distribute updates to your apps, perhaps with embedded malware. A copy on a thumb drive in a safe deposit box at a nearby bank is one fairly secure off-site solution, one that will cover you for a reasonable range of disasters for not all that much money (particularly if you use the safe-deposit box for other purposes). -- Mark Murphy (a Commons Guy) http://commonsware.com | http://github.com/commonsguy http://commonsware.com/blog | http://twitter.com/commonsguy Android Training Worldwide: http://commonsware.com/training -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] A Cautionary Tale: Backup your Keystore
On Tue, Mar 8, 2011 at 11:45 PM, hoyski hoy...@gmail.com wrote: I knew all of the inputs I'd used to create the keystore so I thought there may be some way to recreate it. Searching Google I found that the answers fell into two categories: Dude, you're screwed and Dude, you're [expletive deleted]. Technically, you only need your private key. But since there is no easy way to extract it from the JKS keystore (you *could* convert it to PKCS#12 and then use OpenSSL to extract it), you'd better backup the whole keystore. That said, it would be nice if there were some way to recover from losing your key. If you can prove you are you to the Android market (Google account authentication, phone call verification, show up in person, etc) you should be able to replace the key/certificate tied to your account. I don't think it's possible with the current security model though. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] A Cautionary Tale: Backup your Keystore
* If you can prove you are you to the Android market (Google account authentication, phone call verification, show up in person, etc) you should be able to replace the key/certificate tied to your account. I don't think it's possible with the current security model though.* The only problem here though is that there is no key tied to your account... This is on a per-app basis. I'm not saying this is a good idea but technically you could you a different key for every single one of your apps. On Tue, Mar 8, 2011 at 8:41 AM, Nikolay Elenkov nikolay.elen...@gmail.comwrote: On Tue, Mar 8, 2011 at 11:45 PM, hoyski hoy...@gmail.com wrote: I knew all of the inputs I'd used to create the keystore so I thought there may be some way to recreate it. Searching Google I found that the answers fell into two categories: Dude, you're screwed and Dude, you're [expletive deleted]. Technically, you only need your private key. But since there is no easy way to extract it from the JKS keystore (you *could* convert it to PKCS#12 and then use OpenSSL to extract it), you'd better backup the whole keystore. That said, it would be nice if there were some way to recover from losing your key. If you can prove you are you to the Android market (Google account authentication, phone call verification, show up in person, etc) you should be able to replace the key/certificate tied to your account. I don't think it's possible with the current security model though. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] A Cautionary Tale: Backup your Keystore
Checking the key into a separately hosted, distributed source control system works for me. It's less likely to be hacked into (IMO) because the name of the repository is not public knowledge, unlike email. This also prevents emails to this list like I've lost my source code and have no backup, can I generate it again from the same set of input data: one brain, two arms and two legs. :) 08.03.2011 19:22 пользователь Justin Anderson magouyaw...@gmail.com написал: * If you can prove you are you to the Android market (Google account authentication, phone call verification, show up in person, etc) you should be able to replace the key/certificate tied to your account. I don't think it's possible with the current security model though.* The only problem here though is that there is no key tied to your account... This is on a per-app basis. I'm not saying this is a good idea but technically you could you a different key for every single one of your apps. On Tue, Mar 8, 2011 at 8:41 AM, Nikolay Elenkov nikolay.elen...@gmail.comwrote: On Tue, Mar 8, 2011 at 11:45 PM, hoyski hoy...@gmail.com wrote: I knew all of the inputs I'd used to create the keystore so I thought there may be some way to recreate it. Searching Google I found that the answers fell into two categories: Dude, you're screwed and Dude, you're [expletive deleted]. Technically, you only need your private key. But since there is no easy way to extract it from the JKS keystore (you *could* convert it to PKCS#12 and then use OpenSSL to extract it), you'd better backup the whole keystore. That said, it would be nice if there were some way to recover from losing your key. If you can prove you are you to the Android market (Google account authentication, phone call verification, show up in person, etc) you should be able to replace the key/certificate tied to your account. I don't think it's possible with the current security model though. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] A Cautionary Tale: Backup your Keystore
That said, it would be nice if there were some way to recover from losing your key. Recover it from *your* backup. Name private key is not coincidencial. What you dream of just is plain hole so if you do not backup your vital stuff like sources and pkey then you are not just brave. You simply beging for troubles. you should be able to replace the key/certificate tied to your account. There's no reason for this, because you are never going to lose your pkey in first place. -- Regards, Marcin Orlowski -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] A Cautionary Tale: Backup your Keystore
On Wed, Mar 9, 2011 at 1:21 AM, Justin Anderson magouyaw...@gmail.com wrote: The only problem here though is that there is no key tied to your account... This is on a per-app basis. I'm not saying this is a good idea but technically you could you a different key for every single one of your apps. Interesting, I didn't know that. Might not be such a bad idea though: if you lose one key, you only lose one app, not all of them. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] A Cautionary Tale: Backup your Keystore
On Wed, Mar 9, 2011 at 5:08 AM, Marcin Orlowski webnet.andr...@gmail.com wrote: That said, it would be nice if there were some way to recover from losing your key. Recover it from *your* backup. Name private key is not coincidencial. What you dream of just is plain hole so if you do not backup your vital stuff like sources and pkey then you are not just brave. You simply beging for troubles. 'Private' meant it is not disclosed. It doesn't mean it is forever. In all public key systems (GPG, X.509), there is an option to revoke your key if it is compromised, and issue a new one to update it. The current model is far from perfect -- everyone is issuing those self-signed certificates valid for 30 years or more. So am I supposed to use that key for 30 years without updating? A determined attacker (with a lot of resources ) could crack the private key of say, Rovio, and push their own 'Angry Birds' clone, for example. The right way is to tie this to an *identity* (X.509 DN, email address, whatever), as opposed to a key. That way you can check that all those apps are issued from this person/company, regardless what key they are signed with. you should be able to replace the key/certificate tied to your account. There's no reason for this, because you are never going to lose your pkey in first place. Right. Even if you have multiple distributed backups, there is still (albeit remote) possibility that all of them can be lost/destroyed. You are being overly optimistic. And yes, I do have distributed backups of my keystore. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] A Cautionary Tale: Backup your Keystore
On Wed, Mar 9, 2011 at 10:17 AM, Nikolay Elenkov nikolay.elen...@gmail.com wrote: So am I supposed to use that key for 30 years without updating? A determined attacker (with a lot of resources ) could crack the private key of say, Rovio, and push their own 'Angry Birds' clone, for example. It might take 5 or 10 years, but it's (theoretically) possible. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en