Back

So whenever my updater fetches an APK from its Codeberg/GitLab/Github/… repo, fdroidserver will now validate it was really signed with the key of the author. If not, it won't be published, but I'd receive an alert by mail to investigate.

So the plus for the authors: I will inform them – and of course ask what happened. Usually it's just that the authors lost their signing keys, which is really bad: it means that you have to uninstall and re-install the app to get the latest version(s)! (2/4)

Dear #Android #developers, take good care of your #signing keys! Watch them like your crown jewels! Don't let them get into the wrong hands!

NO! Do NOT upload them to Github/GitLab etc. Have a good (encrypted!) backup of them – not on the disk of your development machine, but elsewhere. So should your machine crash, you'll still have them. Your code is in your repo, your keys are in a safe place – then you and those using your apps are fine! (4/4)

5/4 Update: looks like more devs should read that latest toot of this thread. Since I'm checking #signatures in my repo, there's not a week where not AT LEAST one app comes in with a different #signature So here's what to specifically be aware of:

* disk crashes (or entire PCs giving up)
* accidentally deleting the directory where the "important stuff" is in
* signing was done by a team member that left

All 3 cases can be covered by good #backups – just sayin'. Off-device, ideally.