I think the following design would address reasonable security concerns while automating the process.
- The build server maintains internet access as currently designed.
- The build server uploads built file to the signing server over rsync (or a similar protocol) to an incoming queue. The signing server sits behind a firewall that only allows rsync connections from the build server.
- The signing server automatically signs all APKs that come into the signing queue and places the signed versions in an outbound queue.
- The build server retrieves the signed APKs from the signing server via rsync and publishes to the repository.
If the build server is compromised, this could result in the signing and publishing of compromised APKs. However, that is exactly what would happen with the current design as the output APKs of the build server are not currently manually analyzed to detect compromises.
If someone were to compromise the build server it would be extremely unlikely they could exfiltrate the signing key from the signing server as the only access they have is write permissions to the incoming APK queue and read/write permissions to the outgoing APK queue. This is very close to the level of access the build server already has as it can write to whatever media is used to transfer files to the air-gapped machine and read files from the media that is used to bring them back. Barring a bug in rsync that would grant full remote root access, this ends up providing the same level of protection and can be fully automated.
