robotnix icon indicating copy to clipboard operation
robotnix copied to clipboard

Published 20 hours ago verified publisher icon danielfullmer

Documentation on encryption is unclear and encryption options are confusing

Open Atemu opened this issue 3 years ago • 7 comments

I want to finally migrate off test-keys now that µG supports SafetyNet and Magisk has a better hide mechanism.

Unfortunately, the signing setup of robotnix isn't very user-friendly. I want the releaseScript variant, so I built a releaseScript of my config.

This requires signing.enable = true; which is sensible but from there on, things are less clear. The first thing robotnix complains about is that signing.keyStorePath is undefined. Since I chose the releaseScript method, I don't want to sign from inside the drv, so this is extremely confusing.

Through experimentation, I later found out it needs access to the certificates, not the (private) signing keys. These should be separate options to reflect that fact. I don't mind putting (public) certificates in the Nix store.

The need for the certs can be alleviated by setting fingerprints on the prebuilt apps which the docs do hint at but they're very unclear on it.

Related: https://github.com/danielfullmer/robotnix/issues/24

Atemu avatar Feb 08 '22 10:02 Atemu

Currently signing.keyStorePath is needed to determine the key fingerprints via IFD. You can do what Daniel and I and probably others are doing and hardcode the public key fingerprints in the Nix file.

https://github.com/danielfullmer/robotnix-personal/blob/ef8cd1f379e153f66aa89e9fc9362a693537187b/flake.nix#L30-L35

hmenke avatar Feb 08 '22 11:02 hmenke

The need for the certs can be alleviated by setting fingerprints on the prebuilt apps which the docs do hint at but they're very unclear on it.

Atemu avatar Feb 08 '22 12:02 Atemu

Currently signing.keyStorePath is needed to determine the key fingerprints via IFD. You can do what Daniel and I and probably others are doing and hardcode the public key fingerprints in the Nix file.

https://github.com/danielfullmer/robotnix-personal/blob/ef8cd1f379e153f66aa89e9fc9362a693537187b/flake.nix#L30-L35

Can you clarify if this fingerprint is fixed for f-droid, or we have to get the fingerprint of the f-droid cert created by the generateKeysScript?

mannp avatar Feb 17 '22 10:02 mannp

I never specified any fingerprint for fdroid when i used fdroid, i think it just used the one from generateKeysScript

Kranzes avatar Feb 17 '22 10:02 Kranzes

I never specified any fingerprint for fdroid when i used fdroid, i think it just used the one from generateKeysScript

I see thanks, so what is the purpose of this if it builds without it?

apps.prebuilt.F-Droid.fingerprint = lib.mkIf config.signing.enable "440B1449D705B85191E427C1ACF245B48854CACF1240AA358F15E4D022BA4A7F";

Perhaps it's for graphineos, and it is not needed for lineageos?

mannp avatar Feb 17 '22 11:02 mannp

You can extract the fingerprint using

openssl x509 -noout -fingerprint -sha256 -in ./keys/f-droid.x509.pem | cut -d '=' -f 2 | tr -d ':'

Once you have hardcoded all fingerprints you can run with --option allow-import-from-derivation false which gets you one step closer to pure evaluation mode.

hmenke avatar Feb 17 '22 11:02 hmenke

Thanks, that makes sense now 👍🏻

mannp avatar Feb 17 '22 11:02 mannp