ADW Launcher, stock Android 2.2 on SGS. As the title says, the app is not listed in the app launcher. But it DID launch from the post-install screen that let you run the app you've just installed. You should add a launcher icon ASAP!

Is it possible to make CaCertMan working for Android 2.1 and earlier versions?

I cloned the repo, ran git submodule update --init --recursive, then tried to run make. That gave me:

cd ca-certificates && git verify-tag `git describe --abbrev=0 --tags`
gpg: Signature made Sun 20 Jan 2013 07:47:44 PM EST using RSA key ID FE4B2BDA
gpg: Can't check signature: public key not found
make: *** [debian-verify] Error 1

Is there some other preparation step needed to build the BKS store via make?

Thanks!

My preliminary testing shows this app suffers from changes in Android

reference: moxie0/AndroidPinning#1

You have:

our own CACert keystore for us on Android devices

I am guessing that "us" is supposed to be "use", as that would make more sense given the overall context.

BTW, thanks for making this available, and the other work the Guardian Project does. I can't find a donation link on the main site -- is there one that I'm missing?

Use case: For self-signed certs of personal websites.

Been playing around with a device on froyo. Just wanted to ask as i'm not sure if I modified my cacert file correctly

I couldn't get this tool to work so just made a couple scripts

The first deleted all certs in the cacert file from system/etc/security
The second then added all of the certs from the debian package using keytool and bouncycastle

Is this correct or could I have messed something up by deleting all the certs already in the file? The reason I deleted them all was because majority of them were being flagged as already existing in the file

I wrote the below Containerfile to use this project:
The list of deps to run this project are:
git make ca-certificates gnupg python2 openjdk-17-jre-headless
(openjdk is for keytool)

build with podman build --rm -t cacertoolguardian -f CaCertGuardionTool

CaCertGuardionTool content:

FROM docker.io/debian:sid-slim

RUN set -ex; \
    mkdir -p /usr/share/man/man1/; \
    apt-get update; \
    DEBIAN_FRONTEND=noninteractive apt-get install --yes -o APT::Install-Suggests=false --no-install-recommends git make ca-certificates gnupg python2 openjdk-17-jre-headless; \
    ln -s /usr/bin/python2 /usr/bin/python; \
    rm -rf /var/lib/apt/lists/*; \
    useradd -ms /bin/bash appuser; 

USER appuser
RUN set -ex; \
    cd /home/appuser/; \
    gpg --keyserver keyring.debian.org --recv-keys A278B781FE4B2BDA; \
    git clone --depth 1 https://github.com/guardianproject/cacert; \
    cd cacert; \
    sed -i 's/git:\/\/anonscm.debian.org\/git\/collab-maint\/ca-certificates.git/https:\/\/salsa.debian.org\/debian\/ca-certificates.git/g' .gitmodules; \
    git submodule update --init --recursive; \
    make
    
WORKDIR /home/appuser/

evanskaufman Evan Kaufman
@
@guardianproject Shouldn't the app have a way to install your "curated" cacerts.bks file, perhaps directly from @github?

The project README indicates that the expected usage is to build your own BKS store. As I just pointed out in issue #9, the instructions may be missing a step for doing that.

However, I note that you have committed the output (stores/debiancacerts.bks) to the repo.

Is this a BKS file that we are supposed to use? If yes, what is the keystore password? Your sample code shows changeit, which seems suspiciously like a placeholder... :-)

If it is not something that we are supposed to use, you might consider removing it from the repo. That being said, I would encourage you to consider publishing a generated BKS file with a known password, perhaps in the Releases area. While being able to reproduce your work is great, at the end of the day, developers need the BKS store, more than they need the ability to generate the BKS store.

Thanks!

in:

Visiting https://anonscm.debian.org/ return:

The alioth.debian.org service is discontinued. Its replacement is a GitLab instance at salsa.debian.org.

Replacing above line with this works:

	url = https://salsa.debian.org/debian/ca-certificates.git

I'm getting this error on trying to backup the CA certs:

Error: The keystore was not saved./data/data/[something-guardianproject-something](Is a directory)
(It's annoying to write the full path from memory, and I guess you already know which one it is already anyway.)

Samsung Galaxy S, stock 2.2, rooted, Busybox (version number is something ending in 18). What could the problem be?

(A bit OT, but I'm not seeing DigiNotar, but I assume the app shows the complete list and that just means I never had that CA cert on the phone, right?)

Using the alpha release of the app, I get the toast error notification Failure to save:Cannot write to: /system/etc/security/cacerts.bks when I try to save, and it's allowed (and remembered) in Superuser.

This is on a rooted Nexus One running CyanogenMod-7.0.3-N1. Following is a segment of a logcat, please let me know if you need the whole thing.

https://gist.github.com/0843f7c2766448ef10be