Keystore in repository

[kreativmonkey]

The debug-keystore is public, which means that everyone can generate and sign the app

[joernb]

The current implementation of the build pipeline only uses the debug keystore (android/app/debug.keystore), which was generated during the initial project setup. This was done as a quick solution to generate an APK for testing purposes. Right now, the APK is only published as a GitHub release, but not on Google Play/F-Droid/etc. We do not need to protect anything with a release keystore at the moment. However, we need to address this before publishing a real release:

1. We need to figure out first, how to manage secrets like a private release signing key in general while maintaining transparency. A possible solution: The fastlane project recommends the concept of a private codesigning repository for storing those keys.

2. We need to check wether publishing to a store actually requires our build pipeline to do the code signing. There are other solutions that delegate code signing to the publishing platform.

3. If we need a release keystore, we need to integrate it into the build pipeline. This can be done by changing the hardcoded environment variables named ANDROID_KEYSTORE_* (e.g. mapping it to a GitHub secret) and downloading/mounting the keystore file into the filesystem of the build job.

[assert-not-singularity]

For the sake of simplicity, I think we should go with the solution that does not utilize an additional tool, if possible. The second mentioned option seems to be the recommended one. If I understand the documentation correctly, one has to create an upload key just once in Android Studio and add it as a secret to this repository. Afterwards, it can be used to publish the first and any subsequent releases of the app. Also, there are GitHub Actions which utilize the Play Store API to upload an APK to the store.