Maintainer guide
This page contains an overview of the steps for the regular, day-to-day signing activities. It is intended as a mental aid for FMD maintainers.
Helper scripts are available here: https://gitlab.com/fmd-foss/key-management
See also the RELEASING.md of FMD Android and FMD Server. Those contain more details, because this guide focusses on the signing parts.
Workspace setup
- Get a spare laptop and a Nitrokey HSM.
- Install Debian on the spare laptop.
- Initialise the Nitrokey with an SO PIN and User PIN, and waiting for a DKEK import. These are personal to you and your Nitrokey; do not share them.
- If this is the first time: Create a DKEK, splitting its encryption password with m-of-n.
- Import the DKEK into your Nitrokey.
- If this is an additional key: Import all relevant private keys from the wrapped exports.
Key generation
- Generate key pairs for all purposes (APK, F-Droid repo, Server).
- Export the CVC-REQs (for attestation).
- Create self-signed certificates for the key pairs that will be used by Java tooling (APK, F-Droid).
- Import the certificates into the Nitrokey.
Backup
- Create wrapped exports of all private keys.
- Export all public keys.
- Copy the wrapped private keys, the public keys, the attestation certificate chains, and the self-signed certificates onto an external backup medium.
Usage (FMD Android)
Build the APK:
- Compile an unsigned APK on your build machine.
- Make sure the APK is reproducible.
- Copy the APK to the signing laptop.
- Sign the APK.
- Copy the signed APK back to your main laptop.
- Check that the signed APK is still reproducible.
- Publish the APK.
Build the F-Droid repo:
- Clone the GitLab repo.
- Copy the APK that you signed above to the repository root.
source venv/bin/activateyour fdroidserver installation.fdroid update- Commit and push.
- Deploy to https://packages.fmd-foss.org/fdroid/repo
Usage (FMD Server)
- Build the release ZIP.
- Make sure the ZIP is reproducible.
- Sign the ZIP.
- Upload the files to https://packages.fmd-foss.org/server