Do we need to sign APEX files during the build?

[petefoth]

We don't currently sign APEX files during the build. I don't know

1. What the implications are of not signing them
2. Whether we need to add code to a. generate the apk-specific keys b. sign the APEXes during the build

Background

• APEX files are used in OTA updates ^1
• LOS Wiki describes how to
  • generate APEX keys ^2
  • using the keys when generating and signing target files ^3. Some of the apks are signed using the release key, some use the newly generated apk-specific keys
• The /e/OS Docker image
  • does not generate apk-specific keys when generating signing keys ^4
  • signs each apk with the apk-specific key if the key files exist ^5 before calling ota_from_target_files