Signing Tor Browser for Android on a Linux machine
==================================================

These instructions are for a Nitrokey, as described in
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536

Preparations:
-------------

Follow steps outlines in KeyGeneration documentation.

Software needed:
----------------

1) Android SDK build tools

 - Latest (at time of writing):
   - https://developer.android.com/studio?hl=i#downloads
   - https://dl.google.com/android/repository/commandlinetools-linux-6609375_latest.zip
   - 89f308315e041c93a37a79e0627c47f21d5c5edbe5e80ea8dc0aac8a649e0e92

Installation
------------

1) Requirements

- for the signing: sudo apt-get install nitrokey-app opensc-pkcs11 opensc openjdk-8-jdk
  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26536#note_2651175

`nitrokey-app` should automatically detect the nitrokey if it is connected
Debian Stretch provides version 0.6.3-1.

Install private signing key on Nitrokey
---------------------------------------

- pkcs15-init --delete-objects privkey,pubkey,chain                 \
              --id 3 --store-private-key secret_and_certificate.p12 \
              --format pkcs12 --auth-id 3 --verify-pin

Signing
-------

1) Confirm Nitrokey is supported and operating correctly

 Execute `nitrokey-app`, output should look like:

- nitrokey-app
Expect: "Application started successfully."

2) Ensure pkcs11 configuration file is available

# Create a file containing the Provider arguments
- cat > /tmp/pkcs11_java.cfg << EOF
name = OpenSC-PKCS11
description = SunPKCS11 via OpenSC
library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
slotListIndex = 1
EOF

3) Test the configuration file with `keytool` and confirm it can access the smartcard
- keytool -providerClass sun.security.pkcs11.SunPKCS11     \
          -providerArg /tmp/pkcs11_java.cfg -keystore NONE \
          -storetype PKCS11 -list


3) Signing the exectuable(s):

- path/to/apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11  \
                         --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 \
                         --debuggable-apk-permitted=false                          \
                         --out tor-browser-${VERSION}-android-${arch}-multi-qa.apk \
                         tor-browser-${VERSION}-android-${arch}-multi-unsigned.apk
