dsarkar
commented
2 years ago @Bubu Thanks for your request. Internal Tracking ID: EXPOSUREAPP-10469
Closed Bubu closed 1 year ago
dsarkar
commented
2 years ago @Bubu Thanks for your request. Internal Tracking ID: EXPOSUREAPP-10469
mlenkeit
commented
2 years ago @Bubu This is the public key:
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc7DEstcUIRcyk35OYDJ95/hTg3UVhsaDXKT0zK7NhHPXoyzipEnOp3GyNXDVpaPi3cAfQmxeuFMZAIX2+6A5Xg==We'll need to check where we could put it in this repo.
vaubaehn
commented
2 years ago @Bubu In the past, signature verification by Google's ENS could take an incredibly high amount of time for unknown reasons for older/low-end phones. On my LG-G4 it took around 70s in one test (derived from syslog some months ago). I'd suggest to do some performance checks when you enable it for microG. If microG has no problems at all to speedy verify signatures, then I'd suggest to have a look into Google's code (if possible) and file a bug report to them. Unfortunately, since Google deactivated syslog for ENS in Europe due to data privacy reasons (elsewhere it's still active 😠), it's not possible to benchmark Google's signature verification currently.
Bubu
commented
2 years ago @vaubaehn I just did a very minimal test with the public key from above added to the microG lib and verification was still very fast. I'm not too concerned about debugging googles implementation here though, I'll leave that to others :-).
@mlenkeit Thank you for the super quick reply to this issue! As noted above, I added the key and everything seems to be working :+1:.
vaubaehn
commented
2 years ago @Bubu Thanks for the feedback. Happy to hear it's working good. So, If I got it right, ENS is actively downloading the public key everytime for signature verification? Then here's probably the bottleneck that I experienced... Good you can hard code the keys into microG.
I'm not too concerned about debugging googles implementation here though, I'll leave that to others :-).
True 😋
awaigand
commented
2 years ago @vaubaehn
If I got it right, ENS is actively downloading the public key everytime for signature verification?
No, as far as I understand, apps have to provide their public key to Google/Apple when they request access to the ENF. At least that's what I gleamed from the respective documentations (Google), so I guess they keep an offline list of them somewhere in the ENF.
The comparing of the downloaded Diagonsis Keys (of people who are exposed) with the RPI collected by your phone gets more demanding as more people get sick, since your phone calculates all RPIs for all people who are sick (since it does not know anything about location, so if someone in Berlin gets sick and you live in Wuppertal you will still calculate his RPIs). I am guessing thats quite a lot to handle for older phones maybe? But I never actually benchmarked any of this.
Ein-Tim
commented
2 years ago @mlenkeit Did you meanwhile find a place where the key could be added?
It seems that currently the public key used to sign the exposure file/diagnosis keys that the CWA app receives from the backend server isn't documented anywhere.
Having this key publicly available would help enabling the signature verification in the microG exposure notification framework, see https://github.com/microg/GmsCore/issues/1307 for background discussion.
Internal Tracking ID: EXPOSUREAPP-10469