Sign android releases with hardware key in containersign-with-hardware-key-container

author: Jonatan Rhodin <jonatan.rhodin@mullvad.net> 2026-04-07 14:58:16 +0200
committer: Jonatan Rhodin <jonatan.rhodin@mullvad.net> 2026-04-10 09:55:13 +0200
commit: d485c9f6d62fb3f131d2787f944c7a386747de01 (patch)
tree: 78295f3c4b575200ee5118e7cb970b63030b5e89
parent: ceaaa74a61fea55c59402692701dfeea7c37817f (diff)
download: mullvadvpn-sign-with-hardware-key-container.tar.xz
mullvadvpn-sign-with-hardware-key-container.zip
3 files changed, 20 insertions, 1 deletions
diff --git a/building/container-run.sh b/building/container-run.sh
index ce923f8942..c5136f4455 100755
--- a/building/container-run.sh
+++ b/building/container-run.sh
@@ -16,6 +16,7 @@ CARGO_REGISTRY_VOLUME_NAME=${CARGO_REGISTRY_VOLUME_NAME:-"cargo-registry"}
 GRADLE_CACHE_VOLUME_NAME=${GRADLE_CACHE_VOLUME_NAME:-"gradle-cache"}
 CONTAINER_RUNNER=${CONTAINER_RUNNER:-"podman"}
 PLAY_CREDENTIALS_PATH=${PLAY_CREDENTIALS_PATH:-""}
+KEYSTORE_SIGNING_KEY_PATH=${KEYSTORE_SIGNING_KEY_PATH:-""}
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 REPO_DIR="$( cd "$SCRIPT_DIR/.." && pwd )"
diff --git a/ci/android/build-server/sign.sh b/ci/android/build-server/sign.sh
index e157d7c1ff..389dba0018 100755
--- a/ci/android/build-server/sign.sh
+++ b/ci/android/build-server/sign.sh
@@ -30,7 +30,7 @@ function main {
 function sign_artifact {
     local artifact_file="$1"
 
-    $APKSIGNER_CMD -J-add-exports="jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED" sign \
+    "$APKSIGNER_CMD" -J-add-exports="jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED" sign \
     --ks NONE --ks-type PKCS11 --ks-key-alias "$KEY_ALIAS" \
     --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg "$PROVIDER_ARG" \
     --min-sdk-version "$MIN_SDK_VERSION" --v4-signing-enabled false \
diff --git a/ci/android/build-server/signing/99-android-jks-signing-key.rules b/ci/android/build-server/signing/99-android-jks-signing-key.rules
new file mode 100644
index 0000000000..27e10dcdb5
--- /dev/null
+++ b/ci/android/build-server/signing/99-android-jks-signing-key.rules
@@ -0,0 +1,18 @@
+# This rules allows forwarding the physical key into a container, by setting
+# the correct permissions and telling PCSC to ignore it.
+#
+# Filters on yubikeys only
+# ATTR{idVendor}=="1050", ATTR{idProduct}=="0407"
+#
+# Specifies the physical USB port where the yubikey is plugged in.
+# KERNAL=="5-2
+#
+# Set the ACL for the device so the build user can access the device.
+# RUN+="/usr/bin/setfacl -m u:build:rw /dev/$name"
+#
+# Make PCSC on the host ignore this yubikey, https://blog.apdu.fr/posts/2025/04/ignore-readers-using-pcsclite_ignore-udev-property/
+# ENV{PCSCLITE_IGNORE}="1"
+#
+# Create a symlink so we more easily can access the device from publish script
+# SYMLINK+="android-jks-signing-key"
+ACTION!="remove|unbind", SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0407", KERNEL=="5-2", RUN+="/usr/bin/setfacl -m u:build:rw /dev/$name", ENV{PCSCLITE_IGNORE}="1" SYMLINK+="android-jks-signing-key"
author	Jonatan Rhodin <jonatan.rhodin@mullvad.net>	2026-04-07 14:58:16 +0200
committer	Jonatan Rhodin <jonatan.rhodin@mullvad.net>	2026-04-10 09:55:13 +0200
commit	d485c9f6d62fb3f131d2787f944c7a386747de01 (patch)
tree	78295f3c4b575200ee5118e7cb970b63030b5e89
parent	ceaaa74a61fea55c59402692701dfeea7c37817f (diff)
download	mullvadvpn-sign-with-hardware-key-container.tar.xz mullvadvpn-sign-with-hardware-key-container.zip