-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update README.md #8634
Update README.md #8634
Conversation
Addresses thunderbird#8576
I think this might lead to unnecessary support requests if people don't know how to verify an APK is properly signed and use We also use different signing certificates for the different apps and release channels (Thunderbird release/beta/daily, K-9 Mail). |
@cketti How do you feel about more neutral language, e.g. Our applications use the following APK signatures:
Alternatively we could create a SECURITY.md or similar with this information and link to it. |
We should use exact wording. These are (probably, I haven't actually checked the values) the SHA-256 hashes of the signing certificates we use. If we do this, I think we should document the actual command one can use to verify an APK, not just link to the documentation of |
I'll update this one -> done |
README.md
Outdated
@@ -73,6 +73,24 @@ our [blog post](https://blog.thunderbird.net/2023/07/k-9-mail-collaborates-with- | |||
|
|||
You can report a security vulnerability [through the respective issues form](https://github.com/thunderbird/thunderbird-android/security/advisories/new). | |||
|
|||
### Verifying the Apk Signature | |||
|
|||
Users can ensure that the downloaded apk from Github and F-Droid was properly signed with our signing key by verifying |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should be accurate with naming and replace "singing key" with "signing certificate". Especially since the command line argument is called -printcert
and users might not be able to make the connection.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that "signing certificate" is more accurate, especially in the context of using the keytool
command with -printcert
. However, since this is about verifying the APK's signature, switching to the suggested term might not directly address the primary goal. It would be helpful to define the target audience for this documentation to determine whether the concern about users not making the connection is valid. That way, we can decide if a clarification or adjustment is truly necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed usage of any term to keep it simple
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keytool
and apksigner
verify that the APK was signed using the signing certificate that is part of the APK. What the user needs to do is verify that the signing certificate in the APK is actually our signing certificate and not some random other one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand your point, but it would be more helpful if you could suggest a way to explain this more clearly for users. That way, we can make sure the information is both accurate and user-friendly.
README.md
Outdated
To verify the SHA-256 hash of the APK, use the following command in your terminal: | ||
|
||
```bash | ||
keytool -printcert -jarfile <path-to-apk> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe keytool
will only verify the v1 signature. We probably want to recommend using apksigner verify
so we don't have to update this in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem is that apksigner
requires to install the Android SDK Build Tools and this could be a nice addition but requires way more effort than using the keytool.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤷 We don't expect regular users to verify the APK signature. I think it's fine to require interested users to install the build tools. It's also possible they don't have keytool
installed. So that would require some work as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's go with apksigner, this is for example also what Signal does: https://signal.org/android/apk/
The section is now shorter |
Now we're back to were we started. See the first comment. |
To move forward, it would be helpful if you could provide a concrete suggestion for how you think this should be phrased. |
I like the simplicity of Signal's page. Adjusted for us, it would be:
|
I'm fine with copy pasting Signal's approach. |
Addresses #8576 . Please feel free to edit as you see fit.