Core Apps » Bazaar

Should ChatSecure have an Intent for verifying data signed by OTR private keys? Or should F-Droid be able to read ChatSecure's secret key material in order to use it for its own signing? Most likely, F-Droid will need to use the raw key material itself since ChatSecure won't be able to support every kind of signing possibility under the sun.

Another option would be to have FDroid always generate its own internal key for use with zipsigner and the HTTPS web server. Then once it signs the index.jar, it would send it to ChatSecure or GPG to be signed with a gpg-style --detach-sign signature file. This would make the validation more complex, since there would be two types of signatures to validate (zipsigner and gpg-style).

Thinking about this a bit more, it seems that there are other uses for a secret key sharing Intent or permission. For example, since GPG has a good track record for not having random-related exploits in its key generation code (I believe it only uses random data, not a PRNG like Android/Java), ChatSecure could call on GPG to generate the DSA key for OTR. So F-Droid could request the key data from GPG as well. The question is whether ChatSecure should also be able to share its secret key material.

As for making this secure, there are a number of things we can do:

• APK-pinning based on shared signing key
• APK-pinning based on package name
• checksum TOFU on first request for key material
• all of the above

devrandom is sketching out his ideas for a generic OTR Data API here:
https://github.com/devrandom/Gibberbot/tree/dataplug/samples/dataplug/src/info/guardianproject/otr/sample/securegallery

and docs:
https://dev.guardianproject.info/projects/gibberbot/wiki/OTRDATA_Specifications