How to handle APK signing for Android in an FOSS project?

Question

Hi,

I'm working on an open source project for android and am wondering whether there are any best practices (or at least well-argued hints) on how to manage the private key for signing the APKs.

On the one hand, the key should be secured, on the other hand, at least the members of the core team should be able to create "official" releases.

My first suggestion was to just distribute the encrypted private key in the source repository and give out the passphrase to committers, but the trust (from the community to the individual) cannot be revoked.

Is there any other way to share the signing rights (e.g. by setting up a private CA and creating keys for each committer) among the members?

Answer 1

You should probably limit the number of people who have the signing key for a given "branding" of the project - which of course is distinct from other builds. If you expected to build substantial loyalty to that branding, it might not be appropriate for the key to ever even be present on a network connected machine. Similarly, you probably don't want to share the associated android market login (if you are distributing that way) very widely. Probably one person has the working copy and is tasked with using it, and one or two others have duplicate info in sealed envelopes. Everything up to the point where a new version is uploaded to market would be done with debug or testing keys - which probably means that your developers and closely involved users are habitually using a version that is not signed with the same key as the market published version, but may sometimes be the same binary release or sometimes be a nightly or sometimes be their own build, in each case signed with their own personal key.