Skip to content

Release and Signing

aaalllexxx edited this page Jun 29, 2026 · 1 revision

Release & Signing

Android refuses to install an unsigned release APK, so ENPAF always signs release builds. You have three options, in order of control:

  1. Auto-generated keystore (zero config) — good for testing/personal use.
  2. signing block in enpaf.json — a stable key you control.
  3. --keystore flag — point at any keystore at build time.

1. Auto-generated keystore (default)

paf build apk --release

If you provide no signing config, ENPAF creates a self-signed RSA keystore at:

~/.enpaf/keystores/<package>.jks

with defaults: store password enpaf123, key alias enpaf, validity 10000 days. The same file is reused on subsequent builds, so updates stay install-compatible — as long as you keep that file.

⚠️ The auto keystore lives only on your machine and uses a known default password. It's fine for testing, but for anything you'll update over time or distribute, create your own keystore (below) and back it up. If you lose the signing key, you can't ship updates to the same app id.

2. Stable key via enpaf.json

Create a keystore once:

keytool -genkeypair -v -keystore release.jks \
  -alias myapp -keyalg RSA -keysize 2048 -validity 10000 \
  -storepass "STOREPASS" -keypass "KEYPASS" \
  -dname "CN=My App, OU=Eng, O=Acme, C=US"

Reference it in enpaf.json:

{
  "signing": {
    "keystore": "release.jks",
    "store_password": "STOREPASS",
    "key_alias": "myapp",
    "key_password": "KEYPASS"
  }
}

Then:

paf build apk --release

Don't commit real passwords or the keystore to a public repo. Keep release.jks and secrets out of version control (add them to .gitignore), or pass them at build time (next section).

3. --keystore at build time

paf build apk --release --keystore /secure/path/release.jks

This overrides enpaf.json. Passwords/alias still come from the signing block (or the defaults if absent).

Publishing a release

The repository automates framework releases with GitHub Actions: pushing a version tag builds the wheel/sdist and attaches them to a GitHub Release.

git tag v1.2.0
git push origin v1.2.0

For app APKs (which aren't built in CI), build locally and attach them to the release — for example with the gh CLI:

paf build apk --release
gh release create v1.2.0 \
  dist/myapp-1.2.0.apk \
  --title "My App 1.2.0" --notes "Release notes here"

See Testing & CI for the release workflow details.

Checklist for a distributable release

  • version bumped in enpaf.json.
  • A stable keystore (not the throwaway auto one), backed up safely.
  • paf build apk --release succeeds; APK in dist/.
  • Installed and smoke-tested on a real device.
  • APK attached to a GitHub Release (source stays in the repo; binaries in Releases).

Clone this wiki locally