AndroidSystemKeyMigration¶

Background information¶

The releases are currently signed by the individual developers with their personal gpg keys. During the installation procedure, the people installing the images are very strongly advised to check that kind of signatures. This makes sure that the images that are being installed were really made by the developers that signed them, and that they weren't modified since them. This takes care of the security while installing Replicant releases.

When installing Android applications, there is also a similar system in place, where people or organizations building applications sign their applications. When upgrading an application to a newer version, the signature is checked, and if it matches, the new application version can replace the old version and access the data of the previous application version.

Because of that, when building a Replicant release, we have to generate keys to sign the applications that we build and bundle in the Replicant images. This includes applications like the SMS application, the dialer, the launcher, etc.