docs(release): Android keystore rotation runbook + leak-recovery #220
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#220
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
The Android release pipeline (#187) signs the APK / AAB with a single keystore the maintainer holds via four Forgejo secrets (
ANDROID_KEYSTORE_BASE64,ANDROID_KEYSTORE_PASSWORD,ANDROID_KEY_ALIAS,ANDROID_KEY_PASSWORD). Android upgrade semantics require every subsequent release to be signed with the same keystore — if the key leaks, every installed APK has to be uninstalled before the user can install a re-signed replacement. There is no documented rotation procedure today.Source
PR #207 ("Follow-ups worth filing"):
Scope
apps/client/README.mdanddocs/ci.md"Release pipeline":keytool -genkey ...flags identical to the original).scripts/release/rotate-android-keystore.shhelper (or just a runbook) that walks the maintainer through the rotation in order.Acceptance criteria
keytoolcommand and Forgejo secrets to update.signing-key-fingerprint.txtartifact (or release-page note) records the fingerprint each release was signed with, so an installed user can verify a planned rotation is legitimate.Out of scope
idea.mddoesn't commit Carol to the Play Store).idea.md).Composes with