i99dash docs
Native apps

Signing and trust

Understand the three-key chain that proves who published a native app and lets the car verify every APK offline before installing.

Native apps move signed bytes from your machine to a car you never touch. Three independent keys guard that path. Each proves one thing, and the car checks all of them offline before it ever shows the install dialog.

The three keys

K1 — developer SSH attestation

Your SSH key signs a canonical manifest of the exact artifact at publish time. The manifest covers the package id, versionCode, versionName, the APK sha256, its size, and the signerSha256. This proves that you uploaded these exact bytes.

The SSH key is the one CLI credential: it logs you in and it attests every artifact. Register your key and sign in first — see SSH-key login.

K2 — Android signer TOFU pin

The SHA-256 of your APK signing certificate is pinned on the first publish of a package and is immutable after that. A later version signed by a different certificate is rejected. This is the anti-repackage backstop, the same model as a Play upload key.

You declare this hash as signerSha256 in apk.json. See apk.json reference for how to read it from your APK.

K3 — platform release envelope

When an admin approves your release, the platform mints an Ed25519-signed envelope over the release manifest: apkSha256, apkSignerSha256, exp, packageName, and versionCode. The car verifies this envelope offline against a pinned platform public key before installing. You do nothing for K3 — it is minted on approval.

What you must do

Register your SSH key and sign in per SSH-key login. This is K1.

Sign your APK with a release keystore and put its certificate SHA-256 in signerSha256. Use the same keystore for every future version of the package — a different signer is rejected by K2.

If your SSH key is not the default ~/.ssh/id_ed25519, pass --key (and --passphrase if the key has one) on publish.

i99dash apk publish --key ~/.ssh/id_publish --passphrase YOUR_PASSPHRASE

Keep the same Android signing keystore forever. Losing it means you can never ship another version of that package id, because K2 rejects a new certificate.

What the car checks before installing

The car runs every check offline before the owner sees the Android install dialog. Any failure blocks the install — the model is fail-closed.

  • Verify the K3 Ed25519 envelope against the pinned platform public key.
  • Re-hash the APK and match its sha256 against the envelope.
  • Match the APK signer SHA against the pinned apkSignerSha256.
  • Confirm the versionCode is not a downgrade.
  • Confirm the package is not revoked.

A revoked app or a suspended publisher is pulled from the catalog and refused. See Distribution for the revocation lifecycle.

This chain is supply-chain integrity — verify the right bytes before install. It is not code secrecy, and it does not hide or obfuscate your app's code.

apk CLI commands

Reference for every i99dash apk subcommand, its flags, and what publish does before your APK reaches review.

Icon and store listing

Control the icon, name, and description your native app shows on the car and in the developer portal.

On this page

The three keysK1 — developer SSH attestationK2 — Android signer TOFU pinK3 — platform release envelopeWhat you must doWhat the car checks before installing