#28144: Update projects/tor-browser for Android -------------------------------------------------+------------------------- Reporter: gk | Owner: tbb- | team Type: defect | Status: | needs_revision Priority: Very High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-rbm, tbb-mobile, | Actual Points: TorBrowserTeam201811, TBA-a2 | Parent ID: #26693 | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by sisbell): Replying to [comment:16 sysrqb]: > Replying to [comment:15 gk]: > > > > I am not so sure, though, that not signing it is not a problem. How are we testing our final result on Android devices without *any* signing? (We don't have that problem on desktop platforms as signing requirements can get disabled if they are existing at all) > > > > > > Ah. Good point. The unsigned-unaligned apk should be (as the name implies) not signed. But when building Fennec with Mozilla's build system, they produce an additional apk that is signed with a [https://developer.android.com/studio/publish/app-signing#debug-mode debug signing key]. It looks like that happens in [https://gitweb.torproject.org /tor-browser.git/tree/config/android-common.mk?h=tor- browser-60.3.0esr-8.5-1#n11 config/android-common.mk], calling [https://gitweb.torproject.org/tor- browser.git/tree/mobile/android/debug_sign_tool.py?h=tor- browser-60.3.0esr-8.5-1#n11 mobile/android/debug_sign_tool.py]. I think we can use this, too. We have different types of signing under consideration: * v1: Android 6 and earlier jarsigning * v2: with signing block (Android 7) : https://source.android.com/security/apksigning/v2 * v3: with key rotation (Android 9): https://source.android.com/security/apksigning/v3 It looks like mozilla is using v1 for debug, this is the only case we need to consider for the debug build. For production level signing, we should consider looking into v3 (perhaps mozilla is already using v3 signing?) -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28144#comment:17> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs