search

omnt / OpenMobileNetworkToolkit

OpenMobileNetworkToolkit
BSD 3-Clause Clear License
22 stars 4 forks source link

Feature: Provide signed releases of OMNT #9

Open laf0rge opened 3 months ago

laf0rge commented 3 months ago

IMHO, it would be useful if you'd be releasing official builds with a known/documented signer key.

This way, for example, sysmocom could pre-install a related ARA rule to the ARA-M applet on future manufacturing batches of sysmoEUICC1 or sysmoISIM products.

Even without such "factory pre installation of an access rule", for most users it would be easier to just add the access rule (copy+pasted from the documentation here) rather than for everyone to self-sign their apks.

Yes, I understand, actual developers who do [want to] modify OMNT will of course need to sign their custom builds. But I would exepct a large number of poeple just want to use it.

derpeter commented 3 months ago

Thanks for your feedback.

The release apks are (or at leas should be, i will check that again) signed with the key used in the example in the documentation. I will update the documentation to make this more clear.

regarding adding the fingerprint per default to sysmosims we might want to establish a process where the key material for signing is also in the hands of sysmocom. On the one hand this way you can sign also other apps and make sure the key is not missused.

We could than either only release those or have an additional "-sysmocom-signed" apk.

laf0rge commented 3 months ago

The release apks are (or at leas should be, i will check that again) signed with the key used in the example in the documentation. I will update the documentation to make this more clear.

Ah, thanks for the explanation. It wasn't immediately obvious at least to me.

regarding adding the fingerprint per default to sysmosims we might want to establish a process where the key material for signing is also in the hands of sysmocom.

That's a nice idea; in fact for the sysmoEUICC1 we already put a sysmocom specific signer key on the ARA-M in the ISD-R. However, we currently also include the digest of the keys used to sign CoIMS, which is not even FOSS.

On the one hand this way you can sign also other apps and make sure the key is not missused.

Well, yes and no. For an APK distributed outside of the play store, yes. For the play store, as you certainly know, you actually upload the private key to google and they sign it "on your behalf" so it's completely backdoored and open to any kind of misuse.

We could than either only release those or have an additional "-sysmocom-signed" apk.

If the goal is really to have sysmocom as gatekeeper/trust anchor, then sysmocom would have to do the signing in some sysmocom CI. But given that we currently don't have any CI builder for android packages (we don't do android development), I'm not sure what a time sink it is setting all this up.

PeterHasse commented 2 months ago

#

The release apks are (or at leas should be, i will check that again) signed with the key used in the example in the documentation. I will update the documentation to make this more clear.

Ah, thanks for the explanation. It wasn't immediately obvious at least to me.

regarding adding the fingerprint per default to sysmosims we might want to establish a process where the key material for signing is also in the hands of sysmocom.

That's a nice idea; in fact for the sysmoEUICC1 we already put a sysmocom specific signer key on the ARA-M in the ISD-R. However, we currently also include the digest of the keys used to sign CoIMS, which is not even FOSS.

we have now finished porting our CI pipline from gitlab to github actions. There fore the the key we use is now in the github storage aka Microsofts Hands. We could add a second key which we then share with sysmocom or we could give you access / import your key. It seems we have no way to keep the keys private (as in not accessible to github staff) without breaking the CI. On the other hand users concert by this can always build and sign them self.

On the one hand this way you can sign also other apps and make sure the key is not missused.

Well, yes and no. For an APK distributed outside of the play store, yes. For the play store, as you certainly know, you actually upload the private key to google and they sign it "on your behalf" so it's completely backdoored and open to any kind of misuse.

Thats sadly true. On the other hand if the play store is installed google does not relay need to backdoor apps ... the backdoor is build in already.

We could than either only release those or have an additional "-sysmocom-signed" apk.

If the goal is really to have sysmocom as gatekeeper/trust anchor, then sysmocom would have to do the signing in some sysmocom CI. But given that we currently don't have any CI builder for android packages (we don't do android development), I'm not sure what a time sink it is setting all this up.

My main goal would be to make it as easy as possible for users to get their setup working. So having a key preinstalled in sysmocom UICCs and eUICCS would be cool. Its your / sysmocoms decision how we proceed (or if). I would love to have a "get your eUICC with preinstalled key" here button at some point :-)