Skip to main content

Release Signing

This section explains how FMD signs its release artifacts and manages its signing keys.

The goals of this documentation section are:

  1. Provide transparency about FMD's security processes.

    FMD, by its nature, has a lot of power over your device. Therefore, we aim for high security standards, even if it is more work and takes more time.

  2. Help other projects create similar setups.

    When we designed the signing process for FMD, we found few good end-to-end guides for how to securely manage APK signing keys, with concrete steps and up-to-date commands. We assembled this guide from many different tutorials, blogs, wikis, and man pages. We hope that this guide is useful to other app developers.

What is signing?

In digital signatures, the holder of a private signing key (the FMD team) signs data (such as APKs) with this key. Using the corresponding public verification key, anyone can verify that the data has not been tampered with (integrity). For example, this is important for app updates: Android only allows updating an app if the update has been signed by the same key as the original app install.

Signatures establish integrity and authenticity between 1) the releases that FMD ships and 2) what users end up installing on their devices. This is because only the FMD team (and nobody else) should be able to produce signatures with this key. Therefore, security hinges on the confidentiality of the private signing key. If an unauthorized person would get access to the signing key, they could maliciously sign data on behalf of FMD.

In practice, handling signing keys involves careful manual work. Keys need to be generated, securely shared between maintainers, and backed up so they are not accidentally lost. And during all of that, they need to be protected from adversaries.

Letting others manage your key

The easy option is to let someone else manage your signing key for you, especially for small projects and app developers that are just starting out. It is less work and in many cases more secure (in terms of confidentiality and availability).

In fact, Google has decided to force all app developers publishing on Google Play to have their signing keys managed by Google through Play App Signing. App developers only sign the APK with an "upload key", and Google resigns the APK with the real signing key. When an app developer loses their upload key, they can reset/rotate it via Google's normal recovery flows.

Traditionally, F-Droid has also created and managed the signing keys for apps that it builds.

Managing your own key

In recent years, F-Droid has moved to publishing developer-signed APKs. This is powered by Reproducible Builds. F-Droid verifies that the APK that F-Droid built from source matches the APK that the developer has built and signed. If there is a match, F-Droid publishes the APK with the signature from the developer.

In this model, developers manage the signing keys themselves. This is desirable because it allows developers to have full control over their signing key (which is their developer identity).

However, managing a signing key is not trivial. According to numbers from IzzyOnDroid, roughly 5% of Android developers lose their signing keys and need to sign their app with a new key. In practice, this means that users need to uninstall and reinstall the app to get updates.

As an app developer, you are facing several challenges:

  • Keep the key confidential. The key is your identity. If someone steals your signing key, they can release malicious app updates in your name.
  • Keep the key available. You need to back up the key so that you have access to it even if your laptop breaks or your house burns down.
  • Share the key with other maintainers. If your project has two or more trusted maintainers, you need a way to share the APK signing key between them.

Summary

The rest of this documentation chapter explains some ideas for how to address these challenges. This is intended as an inspiration, since what is a good fit depends a lot on the size and maturity of your project.

Additionally, we show concrete steps and commands of how FMD signs its APKs and other artifacts.

Acknowledgements

Writing this documentation has been supported by NLnet.

References