From: Hans-Christoph Steiner Date: Fri, 4 Apr 2014 02:07:45 +0000 (-0400) Subject: 'smartcardoptions' config item for setting up HSMs with fdroid X-Git-Tag: 0.2~141^2~7 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=2bd62239f71687d5c1b2c96833d4260df3f471b6;p=fdroidserver.git 'smartcardoptions' config item for setting up HSMs with fdroid These options are needed to configure Java's keytool and jarsigner to use a Hardware Security Module aka HSM aka smartcard. The defaults provided are meant to make things work as easily as possible. --- diff --git a/examples/config.py b/examples/config.py index 3aa837f9..4556233e 100644 --- a/examples/config.py +++ b/examples/config.py @@ -59,9 +59,19 @@ of applications from the main repository. # jarsigner using -alias. (Not needed in an unsigned repository). #repo_keyalias = "fdroidrepo" -#The keystore to use for release keys when building. This needs to be -#somewhere safe and secure, and backed up! -#keystore = "/home/me/.local/share/fdroidserver/keystore.jks" +# The keystore to use for release keys when building. This needs to be +# somewhere safe and secure, and backed up! The best way to manage these +# sensitive keys is to use a "smartcard" (aka Hardware Security Module). To +# configure FDroid to use a smartcard, set the keystore file using the keyword +# "NONE" (i.e. keystore = "NONE"). That makes Java find the keystore on the +# smartcard based on 'smartcardoptions' below. +#keystore = "~/.local/share/fdroidserver/keystore.jks" + +# You should not need to change these at all, unless you have a very +# customized setup for using smartcards in Java with keytool/jarsigner +#smartcardoptions = "-storetype PKCS11 -providerName SunPKCS11-OpenSC \ +# -providerClass sun.security.pkcs11.SunPKCS11 \ +# -providerArg opensc-fdroid.cfg" # The password for the keystore (at least 6 characters). If this password is # different than the keypass below, it can be OK to store the password in this diff --git a/fdroidserver/common.py b/fdroidserver/common.py index 4aafc522..ef36deb6 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -54,6 +54,16 @@ def read_config(opts, config_file='config.py'): logging.debug("Reading %s" % config_file) execfile(config_file, config) + # smartcardoptions must be a list since its command line args for Popen + if 'smartcardoptions' in config: + config['smartcardoptions'] = config['smartcardoptions'].split(' ') + elif 'keystore' in config and config['keystore'] == 'NONE': + # keystore='NONE' means use smartcard, these are required defaults + config['smartcardoptions'] = ['-storetype', 'PKCS11', '-providerName', + 'SunPKCS11-OpenSC', '-providerClass', + 'sun.security.pkcs11.SunPKCS11', + '-providerArg', 'opensc-fdroid.cfg'] + defconfig = { 'sdk_path': "$ANDROID_HOME", 'ndk_path': "$ANDROID_NDK", @@ -67,6 +77,7 @@ def read_config(opts, config_file='config.py'): 'repo_maxage': 0, 'build_server_always': False, 'keystore': '$HOME/.local/share/fdroidserver/keystore.jks', + 'smartcardoptions': [], 'char_limits': { 'Summary' : 50, 'Description' : 1500 diff --git a/fdroidserver/update.py b/fdroidserver/update.py index fb90c504..c386499a 100644 --- a/fdroidserver/update.py +++ b/fdroidserver/update.py @@ -642,7 +642,8 @@ def make_index(apps, apks, repodir, archive, categories): p = FDroidPopen(['keytool', '-exportcert', '-alias', config['repo_keyalias'], '-keystore', config['keystore'], - '-storepass:file', config['keystorepassfile']]) + '-storepass:file', config['keystorepassfile']] + + config['smartcardoptions']) if p.returncode != 0: logging.critical("Failed to get repo pubkey") sys.exit(1) @@ -799,7 +800,8 @@ def make_index(apps, apks, repodir, archive, categories): '-storepass:file', config['keystorepassfile'], '-keypass:file', config['keypassfile'], '-digestalg', 'SHA1', '-sigalg', 'MD5withRSA', - os.path.join(repodir, 'index.jar') , config['repo_keyalias']]) + os.path.join(repodir, 'index.jar') , config['repo_keyalias']] + + config['smartcardoptions']) # TODO keypass should be sent via stdin if p.returncode != 0: logging.info("Failed to sign index")