oasisprotocol · lukaw3d · Jan 6, 2026 · Dec 4, 2025 · Dec 4, 2025
diff --git a/.changelog/2242.trivial.md b/.changelog/2242.trivial.md
@@ -0,0 +1 @@
+Add a security note about signing apks in CI
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -70,22 +70,22 @@ jobs:
         if: github.event_name == 'push'
         run: ./gradlew assembleRelease -PversionCodeOverride=${{ steps.vars.outputs.VERSION_CODE_OVERRIDE }}
         working-directory: android
-      - name: Decode and Save Keystore File
-        if: github.event_name == 'push'
-        run: |
-          echo "${{ secrets.KEYSTORE_FILE }}" | base64 --decode > "android/release.jks"
-      - name: Sign AAB using jarsigner
-        if: github.event_name == 'push'
-        run: |
-          jarsigner -verbose -keystore "android/release.jks" -storepass "${{ secrets.KEYSTORE_PASSWORD }}" -keypass "${{ secrets.KEYSTORE_PASSWORD }}" -signedjar "android/app/build/outputs/bundle/release/app-release-signed.aab" "android/app/build/outputs/bundle/release/app-release.aab" "${{ secrets.KEY_ALIAS }}"
       # Targeting version 30 and above we need to align the APK so that all uncompressed data starts on a 4-byte boundary
       - name: Zipalign APK
         if: github.event_name == 'push'
         run: |
           "$ANDROID_SDK_ROOT/build-tools/35.0.0/zipalign" -v 4 "android/app/build/outputs/apk/release/app-release-unsigned.apk" "android/app/build/outputs/apk/release/app-release-aligned.apk"
-      - name: Sign APK using apksigner
+      - name: Decode and Save Keystore File
+        if: github.event_name == 'push'
+        run: |
+          echo "${{ secrets.KEYSTORE_FILE }}" | base64 --decode > "android/release.jks"
+      - name: Sign AAB and APK
+        # Security: should not sign apks on unmerged pullrequest. Otherwise someone
+        # could sign a malicious app and distribute it with our valid signature (though
+        # outside playstore).
         if: github.event_name == 'push'
         run: |
+          jarsigner -verbose -keystore "android/release.jks" -storepass "${{ secrets.KEYSTORE_PASSWORD }}" -keypass "${{ secrets.KEYSTORE_PASSWORD }}" -signedjar "android/app/build/outputs/bundle/release/app-release-signed.aab" "android/app/build/outputs/bundle/release/app-release.aab" "${{ secrets.KEY_ALIAS }}"
           "$ANDROID_SDK_ROOT/build-tools/35.0.0/apksigner" sign --ks "android/release.jks" --ks-pass "pass:${{ secrets.KEYSTORE_PASSWORD }}" --key-pass "pass:${{ secrets.KEYSTORE_PASSWORD }}" --ks-key-alias "${{ secrets.KEY_ALIAS }}" "android/app/build/outputs/apk/release/app-release-aligned.apk"
       - name: Upload Android AAB build artifacts
         if: github.event_name == 'push'