Android Reproducible Builds & Signing Key Changes
Jason A. Donenfeld
Jason at zx2c4.com
Tue Apr 11 10:27:21 UTC 2023
-----BEGIN PGP SIGNED MESSAGE-----
The WireGuard Android app can now be reproducibly built, so that its contents
can be publicly verified. The F-Droid project now does this verification, by
comparing their build of WireGuard to the build that the WireGuard project
publishes. When they match, the new version becomes available. This is very
As part of this development, we're taking the opportunity to unify the signing
keys used for WireGuard builds by F-Droid, the Google Play Store, and
elsewhere. Previously, F-Droid would release builds using their own signing
key , and the Google Play Store would release builds using yet a different
signing key . Moving forward, both F-Droid and the Google Play Store will
release builds using the same signing key that the WireGuard project uses .
(That signing key is held in an HSM, details for which I dumped here .)
This means that it will be trivial to switch between F-Droid and the Google
Play Store as a source for downloading WireGuard, as well as for receiving
APKs directly from the WireGuard project, should we ever move to provide that.
It will also let the app be bundled with ROMs more easily and still be
updatable through any channel. And because the builds are reproducible,
interested parties will be able to verify that they're receiving the same code
from all places.
However, since the signing key is changing from the respective app store keys
to the WireGuard project key, a subset of users will need to remove and
re-install the app using this basic procedure:
1. ⋮ -> Export tunnels to zip file.
2. Uninstall the WireGuard app entirely.
3. Reinstall the WireGuard app from the Google Play Store or F-Droid.
* Be sure to install version ≥ 1.0.20230405.
4. + -> Import from file or archive -> Downloads/wireguard-export.zip
5. File Manager -> delete Downloads/wireguard-export.zip
But most users do not need to do this. Specifically:
- Google Play Store users who do not care about interoperability with
F-Droid or other app sources do *not* need carry out the above steps, as
the Google Play Store will continue serving updates using the old key.
- All F-Droid users (and users of alternative Google Play Store frontends,
such as Aurora) with WireGuard below version 1.0.20230405 *must* carry out
the above in order to continue receiving updates from anywhere.
Hopefully this is relatively straight-forward and not too much of an
inconvenience by those who care. I assume that F-Droid users are in general a
more technical crowd, and should be able to manage. Please let me know if you
have any questions or concerns.
 Old F-Droid signing key: d2ccbdf13c52e8905b02d9770dabae0b9d76ecdfe7533814134273ba959e2d3f
 Old Play Store signing key: 79758d2ae9cd8b9107c0f6e67ff9ff02d255f9191c5e83202129ec081b4960fd
 New WireGuard Project signing key: 84a13fa2c4e0064b0c11654b8a86574b7a9b9352a3834cee32455b061c3d4127
 YubiHSM APK signing details: https://github.com/Yubico/yubihsm-shell/issues/329
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the WireGuard