From 9ee61dc0dfa5990126b7fb79c5373beb83a8b040 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= <dominik@dominikschuermann.de>
Date: Mon, 21 Sep 2015 14:05:44 +0200
Subject: Pin keybase certificate

---
 .../java/org/sufficientlysecure/keychain/KeychainApplication.java   | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java')

diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
index 45d81749a..56dd9a4cb 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
@@ -100,6 +100,12 @@ public class KeychainApplication extends Application {
 
         TlsHelper.addPinnedCertificate("hkps.pool.sks-keyservers.net", getAssets(), "hkps.pool.sks-keyservers.net.CA.cer");
         TlsHelper.addPinnedCertificate("pgp.mit.edu", getAssets(), "pgp.mit.edu.cer");
+        // NOTE:
+        // keybase.io.CA.cer only holds the CA issuing the actual keybase.io certificate, but this
+        // is better than no pinning!
+        // We are not using https://github.com/keybase/node-client/blob/master/src/ca.iced
+        // because it is only valid for api.keybase.io (https://github.com/keybase/keybase-issues/issues/964)
+        TlsHelper.addPinnedCertificate("keybase.io", getAssets(), "keybase.io.CA.cer");
 
         TemporaryStorageProvider.cleanUp(this);
 
-- 
cgit v1.2.3