Signatures of exposure keys provided by servers are not verified

Question

Signatures of exposure keys provided by servers are not verified

cgrigis opened this issue 4 years ago · 7 comments

The exposure key files provided by servers are signed using a PHA-specific private key, whose public counterpart is provided to Google for allowlisted apps.
When an app receives exposure key files from a server, it passes them to GAEN via an API that validates them and checks their signature before seeking for matches.
As microG does not have the PHA-specific public signature keys, the exposure key files are currently not verified before matching is attempted.

Answer 1 · 2020-11-23T13:28:47.000Z

After discussion with @gannimo and @francozappa:
We should get the pub keys (they are public anyway 🙂 ) and then verify the signatures with some extra code.

Answer 2 · 2020-12-07T16:16:24.000Z

Contacted Cédric Moullet as suggested by @gannimo.

Answer 3 · 2020-12-10T13:51:18.000Z

Started branch on C4DT fork.

Answer 4 · 2020-12-10T15:59:47.000Z

Opened an issue at microG to discuss the matter.

Answer 5 · 2021-01-25T12:19:55.000Z

Received the public key for the Swiss back-end server.

Answer 6 · 2021-02-09T15:52:06.000Z

Tested both public keys received (dev/test and prod), and incorporated them into the microG branch.
Discussion ongoing regarding how the user decides what to do when a key-file does not verify.

Answer 7 · 2021-11-02T17:00:54.000Z

PR merged into microG 🎉