Task #1981

investigate self-signed HTTPS key as signing key for jars

Added by hans over 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:10/02/2013
Priority:NormalDue date:
Assignee:pd0x% Done:

0%

Category:-
Target version:0.1 - "Kerplapp"
Component:

Description

Bazaar will need to sign the index of the list of APKs. When HTTPS connections are already being used, might as well re-use the key to sign the APK.


Related issues

Related to Bazaar - Task #1982: investigate OTR key as signing key for jars Closed 10/02/2013
Related to Bazaar - Bug #2542: Support self signed SSL w/ F-Droid Client Closed 11/19/2013

Associated revisions

Revision b4ad77f3
Added by pd0x about 4 years ago

Use one keypair for all certificates.

Previously a new random public/private keypair were used for every self-signed
certificate in the Kerplapp Keystore. Now one random keypair is generated and
used for all certificates.

refs #1981, #2542

History

#1 Updated by hans over 4 years ago

We can make the internal HTTPS/zipsigner key always be the canonical signature, then make some way to publish its public key via OTR as the first step of syncing over OTR. Then it would be TOFU/POPed.

#2 Updated by n8fr8 over 4 years ago

  • Target version set to 0.1 - "Kerplapp"

#3 Updated by hans about 4 years ago

  • Status changed from New to Resolved
  • Assignee changed from hans to pd0x

I believe this is completed. pd0x, can you close this issue if its done, or otherwise, add a comment?

#4 Updated by pd0x about 4 years ago

  • Status changed from Resolved to Closed

Added in commit 6db88538a6b7411883186151170c6da54e6c9ae6

Presently there are two certs in the keystore, one for HTTPS and one for signing the index.jar

Also available in: Atom PDF