Private key as string resource

Google changed his storage access policy, they don’t accept the update of our application anymore. The application [gpslogger]( is Open Source, so I analyze a possibility to publish it on F-Droid.
I read the F-Droid inclusion policy, and I see one problem though. The application uses a SHA1 based RSA key to sign produced IGC track files. This key is considered ‘secret’, so, it is not published in the main git repository. This key is loaded at build time from a local file, included in .gitignore.
This approach is not my choice, as you can see, I continue the development of an old application (I’ve got the access to initial Google account though). I understand that any string resource can be extracted from an APK, but this operation is much more complicated that just pull a repository with a secret file inside (and many ‘hackers’ just analyze Github repos searching for such secrets leaked).
Is there any way to publish an application, that uses such ‘secret’ resource during build time, at F-Droid?
Best regards,

No. You can provide the key in another way but it must be public so we can access it.

1 Like

What is the point of having a common/public/shared private key? Why even sign it at all at that point?
Or instead replace it with opt-in via user provided custom key or generate one on startup?

It does seem to handle the case where the key is unavailable, is signing required?

Thanks for your answers.
The signing is required to validate the traces saved in IGC file by FAI authorities.
The key used in the application is provided by these authorities. So, it is not available for users, they cannot enter it themselves.
If the IGC file is not signed - it cannot be used to validate the track (during paragliding competitions, for example).
IMHO, F-Droid build system should provide a way to import ‘secret’ string resources. Such operation does not change the status of ‘FOSS Software’ as it is not an executable code.
Yes, the case when the key is not available is handled in the code. But the application functionality is degraded in this case (see above).

But the key is already public, anyone can sign anything they want with it?
That is literally 1000% useless.

No one told them a private key is supposed to be private?

The key is not public as it is not published anywhere. Yes, it can be extracted from the APK file. But at the same manner (but with more difficulties) it can be extracted from any firmware update file of any GPS device, producing signed IGC files. Or directly from a GPS chip. Any part of software, distributed ‘in the wild’ can be hacked to extract any ‘secret’ information (ask Sony developers about their DRM keys).

It is impossible to make it completely private as it should be available on thousands of devices sold worldwide.
Anyway, I cannot change the method of signing of IGC traces, it is managed by FAI and not by me. We use the method provided by them. Probably, I would do it another way, but nobody asked me :wink:

You can obfuscate the key somehow before putting it into the repository, e.g. encrypt it with a symmetric algorithm. Then, decrypt the key at compile time and put it as a resource into the APK. This scheme isn’t secure at all, but will probably divert script kiddies.

Why not improve GPSLogger | F-Droid - Free and Open Source Android App Repository directly?

Why not improve GPSLogger | F-Droid - Free and Open Source Android App Repository directly?

This is a source of the fork. There are many many changes since forking. And it does not support IGC format, so the question of signing is absent.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.