https://github.com/grapheneos/apps.grapheneos.org
Application repository
https://github.com/grapheneos/apps.grapheneos.org
grapheneos security
Last synced: about 1 month ago
JSON representation
Application repository
- Host: GitHub
- URL: https://github.com/grapheneos/apps.grapheneos.org
- Owner: GrapheneOS
- License: mit
- Created: 2021-07-11T20:54:47.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2025-03-08T03:18:26.000Z (3 months ago)
- Last Synced: 2025-03-10T19:56:27.676Z (2 months ago)
- Topics: grapheneos, security
- Language: Python
- Homepage: https://apps.grapheneos.org/
- Size: 806 KB
- Stars: 45
- Watchers: 7
- Forks: 14
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Key generation
Generate signify key for signing repository metadata:
signify -G -n -p apps.0.pub -s apps.0.sec
The `0` refers to the generation of the key. This is used for key rotation.
If you have your own OS where you can include an fs-verity key in the supported
keys built into the OS, you can also generate an fs-verity signing key in order
to provide continuous verification via verified boot instead of only having the
APK signatures verified at boot (which is actually largely skipped for most
boots for apps without fs-verity due to the performance cost).
GrapheneOS requires fs-verity for system app updates as part of fully
extending verified boot to system app updates. Android doesn't enforce any
form of verified boot for system app updates so they can be used to bypass
verified boot by replacing system apps with arbitrary APKs since signature
checks and downgrade protection aren't enforced at boot. GrapheneOS adds
enforced checks and also enforces using fs-verity to provide continuous
verification instead of only one-time verification at boot where the SSD is
trusted afterwards in order to match the properties of verified boot for the
firmware and OS images.
Optionally, generate fs-verity signing key with `GrapheneOS` changed to an
arbitrary name representing your project (not used for anything):
openssl req -newkey rsa:4096 -sha512 -noenc -keyout fsverity_private_key.0.pem -x509 -out fsverity_cert.0.pem -days 10000 -subj /CN=GrapheneOS/
openssl x509 -in fsverity_cert.0.pem -out fsverity_cert.0.der -outform der
The `0` refers to the generation of the key. This is used for key rotation.
The `generate.py` script will automatically sign all the published apps with
the fs-verity key. You can also sign them manually:
fsverity sign app-release.apk app-release.apk.fsv_sig --key fsverity_private_key.0.pem --cert fsverity_cert.0.pem
For Android 15, GrapheneOS uses APK signature scheme v4 signed with the same
key as the APK instead of a separate fs-verity key. You don't need the
fs-verity setup anymore if you only support current versions of GrapheneOS.