GrapheneOSMar 6

The official microG OS project (https://lineage.microg.org/) leaked their private keys for logging into their servers and signing releases:

https://github.com/lineageos4microg/l4m-wiki/wiki/December-2025-security-issues

We make our official builds on local machines. Our signing machine's keys aren't ever on any storage unencrypted.

LineageOS for microG

LineageOS for microG website.

LineageOS for microG
Show threadGrapheneOSMar 6
Our roadmap for improving security of verifying updates is based on taking advantage of the reproducible builds. We plan to have multiple official build locations and a configurable signoff verification system in the update clients also usable with third party signoff providers.
Show threadOccasion_AntiqueMar 6

@GrapheneOS

Hi,

This is a new account, so I wasn’t sure where to ask this.

I noticed the NFC APK signing key was only recently added to the build scripts (a7b69d9). From what I understand, it was previously signed with the AOSP public test key.

Since those keys are publicly available, wouldn’t that be a security issue for a system component like NFC?

Was this communicated or i missed it, also to update ASAP?

https://github.com/GrapheneOS/script/commit/a7b69d9

https://github.com/GrapheneOS/grapheneos.org/commit/ecc26ba

Thanks.

add missing nfc signing key · GrapheneOS/script@a7b69d9

Scripting for generating signed production releases of AOSP and metadata for the Updater app along with partially automated maintenance of out-of-tree patch sets. - add missing nfc signing key · GrapheneOS/script@a7b69d9

GitHub
Show threadGrapheneOSMar 6

@Occasion_Antique GrapheneOS blocks system app updates not done via OS updates or App Store. Android has a recent protection which stops this from being a serious issue itself too.

Handling the changes adding new keys for signing components within APEX modules was included in the release notes for 2026021200 and documented on the build page:

https://grapheneos.org/releases#2026021200

> update release signing to handle AOSP APEX changes

We also made changes to prevent further added keys in AOSP regressing it.

GrapheneOS releases

Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.

GrapheneOS
Show threadOccasion_Antique

@GrapheneOS

Also I saw the release notes, but the NFC signing change isn’t mentioned specifically. Is there a reason it wasn’t listed?

Thanks

Mar 6 at 7:42pmWeb
Show threadGrapheneOSMar 6

@Occasion_Antique That's one part of the change we listed. We determined it wasn't a serious issue and couldn't think of any relevant attack vector beyond a minor reduction in our added verified boot security. There are other cases where our added security features were found to have holes in them which we resolved. There's a fix for one of them in the latest release via closing an upstream hole in the INTERNET permission which impacts Network.

The NFC app is not the more privileged NFC code.

Show threadGrapheneOSMar 6

@Occasion_Antique There are Critical and High severity issues being fixed upstream on a regular basis. We also often have to patch issues we find in the AOSP code ourselves.

The NFC APEX itself was properly signed already prior to this. This was about a specific APK inside of the NFC APEX which they started signing with a new key. The way the signing scripts work doesn't result in them failing if more keys get added but not replaced which is something we've addressed for them now.