Hi,
I'm working on an open source project for android and am wondering whether there are any best practices (or at least well-argued hints) on how to manage the private key for signing the APKs.
On the one hand, the key should be secured, on the other hand, at least the members of the core team should be able to create "official" releases.
My first suggestion was to just distribute the encrypted private key in the source repository and give out the passphrase to committers, but the trust (from the community to the individual) cannot be revoked.
Is there any other way to share the signing rights (e.g. by setting up a private CA and creating keys for each committer) among the members?