Security Council - Signing procedure

Requirements

Make sure you download the following tools and use the terminal app to interact with them.

JDK 11

proofcastlabs/tee-wrapper-android

proofcastlabs/event-attestator

apksigner & keytool included into the Android Build Tools (Revision 34.0.0)

Build

Go into the tee-wrapper-android folder and run


./gradlew clean assembleUnsigned

This creates a tee-wrapper-android-unsigned.apk file at the root of the project.

Troubleshooting

If the above command doesn’t work, you may need to install additional components: check the Event Attestator and Tee Wrapper Android repositories READMEs for further information.

Key generation

Run the following command


keytool -genkey -v -keystore security-council.jks -alias pnetwork-security-council -keyalg RSA -keysize 2048 -validity 10000

This creates a security-council.ks which will contain the encrypted private key that will be used to sign the APK.

Troubleshooting

bash: keytool: command not found: this error means you need to add to your PATH environment variable the path to the keytool binary which is usually found at your JAVA installation path

Example output:


Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:
What is the name of your organizational unit?
  [Unknown]:  Security Council
What is the name of your organization?
  [Unknown]:  pNetwork
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=Unknown, OU=Security Council, O=pNetwork, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days
	for: CN=Unknown, OU=Security Council, O=pNetwork, L=Unknown, ST=Unknown, C=Unknown
[Storing pnetwork-security-council.jks]

Signing

In order to sign the APK execute the following command:


apksigner sign --ks security-council.ks --in tee-wrapper-android-unsigned.apk --out tee-wrapper-android.apk

Troubleshooting

bash: apksigner: command not found: this error means you need to add to your PATH environment variable the path to the apksigner binary which is usually found at your Android installation path.

Release

Verify the apk legitimacy:


apksigner verify --print-certs tee-wrapper-android.apk

Example output:


Signer #1 certificate DN: CN=Unknown, OU=Security Council, O=pNetwork, L=Unknown, ST=Unknown, C=Unknown
Signer #1 certificate SHA-256 digest: d02c234a4e016ff6b06863a1ce56439453b7c768ab2b9f87352ff19d9b66ecca
Signer #1 certificate SHA-1 digest: cfdfa9b3c61b2c48458e54a61efb7b187be5643b
Signer #1 certificate MD5 digest: 472f66d1fc7ebe82dbbb3c69ad56c1f1

The certificate digest d02c234a4e016ff6b06863a1ce56439453b7c768ab2b9f87352ff19d9b66ecca will be found in the attestation certificate chain provided by the TEE.

Release the apk publicly posting also the app’s SHA-256 digest

Securely delete the keystore from the system


shred -zu security-coucil.ks

Announce the new release on public channels

Updating

When an update to the code is needed, it means a new APK including the changes needs to be signed and released on the proofcastlabs/tee-wrapper-android repository.

Thus, all the nodes willing to update are required to uninstall their current app and install the new APK, invaliding the previous TEE generated inside the TEE.