✒️

Security Council - Signing procedure

This is a guide for the Security Council members in order to create a signed APK needed for pNetwork v4 nodes.

Requirements

Make sure you download the following tools and use the terminal app to interact with them.

Build

Go into the tee-wrapper-android folder and run
./gradlew clean assembleUnsigned
This creates a tee-wrapper-android-unsigned.apk file at the root of the project.
Troubleshooting
If the above command doesn’t work, you may need to install additional components: check the Event Attestator and Tee Wrapper Android repositories READMEs for further information.

Key generation

Run the following command
keytool -genkey -v -keystore security-council.jks -alias pnetwork-security-council -keyalg RSA -keysize 2048 -validity 10000
This creates a security-council.ks which will contain the encrypted private key that will be used to sign the APK.
Troubleshooting
  • bash: keytool: command not found: this error means you need to add to your PATH environment variable the path to the keytool binary which is usually found at your JAVA installation path
  • Example output:
Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: Security Council What is the name of your organization? [Unknown]: pNetwork What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Security Council, O=pNetwork, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days for: CN=Unknown, OU=Security Council, O=pNetwork, L=Unknown, ST=Unknown, C=Unknown [Storing pnetwork-security-council.jks]

Signing

In order to sign the APK execute the following command:
apksigner sign --ks security-council.ks --in tee-wrapper-android-unsigned.apk --out tee-wrapper-android.apk
Troubleshooting
  • bash: apksigner: command not found: this error means you need to add to your PATH environment variable the path to the apksigner binary which is usually found at your Android installation path.

Release

  • Verify the apk legitimacy:
apksigner verify --print-certs tee-wrapper-android.apk
Example output:
Signer #1 certificate DN: CN=Unknown, OU=Security Council, O=pNetwork, L=Unknown, ST=Unknown, C=Unknown Signer #1 certificate SHA-256 digest: d02c234a4e016ff6b06863a1ce56439453b7c768ab2b9f87352ff19d9b66ecca Signer #1 certificate SHA-1 digest: cfdfa9b3c61b2c48458e54a61efb7b187be5643b Signer #1 certificate MD5 digest: 472f66d1fc7ebe82dbbb3c69ad56c1f1
The certificate digest d02c234a4e016ff6b06863a1ce56439453b7c768ab2b9f87352ff19d9b66ecca will be found in the attestation certificate chain provided by the TEE.
  • Release the apk publicly posting also the app’s SHA-256 digest
  • Securely delete the keystore from the system
shred -zu security-coucil.ks
  • Announce the new release on public channels

Updating

When an update to the code is needed, it means a new APK including the changes needs to be signed and released on the proofcastlabs/tee-wrapper-android repository.
Thus, all the nodes willing to update are required to uninstall their current app and install the new APK, invaliding the previous TEE generated inside the TEE.