FOSS on Mobile
Open-source HSM-based signing for AOSP-based projects with limited resources: Lessons from CalyxOS signing redesign
January 31, 2026
1:00 PM – 1:30 PM Add to calendar
1:00 PM – 1:30 PM Add to calendar
UB4.132
<p>Securely signing Android releases, while being a critical process and operation for every AOSP-based project, has been lacking in comprehensive documentation, especially for building a production-grade and enterprise-level signing infrastructure. This talk presents our experience in designing and implementing a Hardware Security Module (HSM)-based signing solution for CalyxOS that ensures transparency and operational practicality while upholding security standards widely endorsed by security experts with limited resources.</p>
<p>We will walk through our process of defining criteria for secure signing operations and redesigning a signing infrastructure. In particular, we will discuss the trade-offs and our trajectory to technical decisions, including:
* Security and operational pros and cons: Why use an HSM;
* Our criteria for evaluating HSM solutions: Exemplified with the comparison between YubiHSM 2, Nitrokey HSM, Amazon Cloud HSM, and Entrust nShield in open-source standards, cost-effectiveness, and operational practicality;
* PKCS#11 integration challenges: What it is, why it matters for HSM compatibility, and the specific code changes and scripts we made to to support it;
* Key ceremony design: The use of Shamir's Secret Sharing (SSS) schema for recovery and additional backup and lessons from the provisioning process; and
* Audit logging and cryptographic verification of signing operations.</p>
<p>In addition, this talk invites discussions from participants on experiences in operational security and building trust through transparency and communication. We will focus on how to balance complex Android development needs and overcome challenges with constrained resource and scant systematic documentation. This talk aims to start collaborations on issues such as concurrent multi-device signing, ceremony design, and community-driven criteria across FOSS development teams.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ub4132 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 1/31/26 |
<p>This is a review of the current state of Free and Open Source Software on Mobile devices. Mobile computing continues to be one of the most conspicuous and rapidly evolving software ecosystems ever, and open source software is at the heart of it - from the Linux kernel, the tooling, languages and libraries needed to write apps, through to devices that run a completely open source stack</p> <p>We will talk about the changes in the way Google releases AOSP code and how that affects developers of ...
|
| 1/31/26 |
<p>Android support for RISC-V is advancing rapidly, and this talk delivers an in-depth technical update on the open-source AOSP porting effort. We will walk through the current status of AOSP on RISC-V platforms, including ART/LLVM, Bionic, HAL and vendor-interface development, and compatibility work for emerging RISC-V SoCs. The session will examine the key engineering challenges encountered along the way—such as JIT/AOT differences on RISC-V, graphics-stack porting (Mesa, DRM/KMS, GPU ...
|
| 1/31/26 |
<p>The Android Open Source Project (AOSP) is more than just the yearly and now half-yearly releases of the Android platform source code. It consists of 3000+ git repositories, 1500+ repo XML manifests, and 1.8+TB of (compressed) source code data.</p> <p>In this talk I want to give a detailed tour of the AOSP releases, the code, and everything that can be found in the AOSP repositories: How are the <code>_rXXX</code> releases assembled? And why do the git tags sometimes go backward? Where do I ...
|
| 1/31/26 |
<p>Building Android is notoriously slow and resource-hungry. Even on high-end hardware, a full AOSP build can take hours, and each release continues to grow by ~10–20%, amplifying compile times and storage pressure. For anyone maintaining custom ROMs, vendor trees, or downstream forks, faster builds are not just nice to have: regulation requiring shipping fixes faster makes build performance a core productivity issue.</p> <p>Over the years, the Android ecosystem has tried to keep pace with ...
|
| 1/31/26 |
<p>At <a href="https://izzyondroid.org/">IzzyOnDroid</a>, we provide <a href="https://izzyondroid.org/about/security/ReproducibleBuilds/">Reproducible Builds</a> (RBs) for Android apps. In this talk, I want to outline:</p> <ul> <li>what Reproducible Builds are and what are some of their advantages</li> <li>how we approach Reproducible Builds in combination with our <a href="https://apt.izzysoft.de/fdroid">Android App Repo</a></li> <li>some of the challenges of Reproducible Builds for Android ...
|
| 1/31/26 |
<p>NewPipe is a widely used <strong>FOSS Android app</strong> that provides privacy-respecting access to <strong>YouTube, PeerTube, and other streaming services</strong>. It can search, view channels, play videos, listen to playlists, download media, and more.</p> <p>Developing an application with so many distinct features often involves compromises or <strong>feature trade-offs</strong>. During the talk, we'll explain how TeamNewPipe takes these decisions together with the community. In recent ...
|
| 1/31/26 |
<p>Since August 2025 IzzyOnDroid has been providing app download stats for the IzzyOnDroid repository and since September, Neo Store has included these download stats in the client, with Droid-ify support hopefully releasing before this talk.</p> <p>This lightning talk will quickly go through: 1. How the download stats system works 2. Which applications already show the stats 3. How to use the stats in your own applications</p> <p>Relevant links: Download stats dashboard: ...
|
