google/bundletool

Code transparency key may be used for app signing

asit-fdraschbacher opened this issue · 0 comments

asit-fdraschbacher commented

Describe the bug
The official documentation for Code Transparency for App Bundles stresses in multiple places that the code transparency key differs from the app signing key:

e.g. "It uses a code transparency signing key, which is solely held by the app developer", or "Code transparency is independent of the signing scheme used for app bundles and APKs. The code transparency key is separate and different from the app signing key that is stored on Google’s secure infrastructure when using Play App Signing.

Indeed, if a developer is to use the app signing key for code transparency, the Code Transparency scheme is broken. Its purpose is to serve as an integrity guarantee even if the code signing key is handed over to someone else.

However, this central security requirement is never verified nor enforced by bundletool. It will happily sign APKs using the same key already used for code transparency and successfully validates APKs that use the same key for app signing and code transparency:

$ bundletool check-transparency --mode=apk --apk-zip=tmp-apks.zip
APK signature is valid. SHA-256 fingerprint of the apk signing key certificate (must be compared with the developer's public key manually): 50 AD FF E4 B4 B1 8C 04 A8 37 91 57 A4 D8 29 36 BB 80 83 7C 87 51 BD 42 D4 10 7D E1 40 E3 C0 8F
Code transparency signature is valid. SHA-256 fingerprint of the code transparency key certificate (must be compared with the developer's public key manually): 50 AD FF E4 B4 B1 8C 04 A8 37 91 57 A4 D8 29 36 BB 80 83 7C 87 51 BD 42 D4 10 7D E1 40 E3 C0 8F

Code transparency verified: code related file contents match the code transparency file.

This might lead unexperienced developers to use code transparency in a way that entirely voids its security guarantees. A simple solution to this problem would be adding a check to APK generation to ensure that Code Transparency and app signing keys are distinct. Additionally, a check should also be added during APK verification, and a warning raised if the two keys are the same.

Bundletool version(s) affected
All

Stacktrace
Not relevant

To Reproduce

  1. Add Code Transparency to an Android Application Bundle through bundletool.
  2. Use bundletool to generate APKs from the AAB and pass the key used in (1) for signing them.
  3. Bundletool will happily generate the APKs.
  4. Verifying the Code Transparency of these APKs using bundletool succeeds. There is no warning or error regarding the certificate reuse.

Expected behavior
At least a warning should be raised about the Certificate Transparency and the App Signing keys needing to be distinct.