Building a Signing Server

 Posted on December 18, 2017  |  Hans-Christoph Steiner

The Android APK signing model sets the expectation that the signing key will be the same for the entire lifetime of the app. That can be seen in the recommended lifetype of an Android signing key: 20+ years. On top of that, it is difficult to migrate an app to a new key. Since the signing key is an essential part to preventing APKs from impersonating another, Android signing keys must be kept safe for the entire life of the app. [Read More]
bazaar  F-Droid  fdroid  hardware  howto  hsm  identity  security  signing  signing key  smart card  tor 

How to Migrate Your Android App’s Signing Key

 Posted on December 29, 2015  |  Abel Luck

It is time to update to a stronger signing key for your Android app! The old default RSA 1024-bit key is weak and officially deprecated. What? The Android OS requires that every application installed be signed by a digital key. The purpose behind this signature is to identify the author of the application, allow this author and this author alone to make updates to the app, as well as provide a mechanism to establish inter-application trust. [Read More]
Android  bazaar  encryption  F-Droid  fdroid  howto  identity  rsa  security  signing key  TrustedIntents