GrapheneOSMar 6

The official microG OS project (https://lineage.microg.org/) leaked their private keys for logging into their servers and signing releases:

https://github.com/lineageos4microg/l4m-wiki/wiki/December-2025-security-issues

We make our official builds on local machines. Our signing machine's keys aren't ever on any storage unencrypted.

LineageOS for microG

LineageOS for microG website.

LineageOS for microG
Show threadGrapheneOSMar 6
Our roadmap for improving security of verifying updates is based on taking advantage of the reproducible builds. We plan to have multiple official build locations and a configurable signoff verification system in the update clients also usable with third party signoff providers.
Show threadFazal Majid
@GrapheneOS so are you building on diversified machines in multiple jurisdictions and enforcing a quorum to release?
Mar 6 at 9:54pmWeb