using the keys when generating and signing target files ^3. Some of the apks are signed using the release key, some use the newly generated apk-specific keys
The /e/OS Docker image
does not generate apk-specific keys when generating signing keys ^4
signs each apk with the apk-specific key if the key files exist^5 before calling ota_from_target_files
We don't currently sign APEX files during the build. I don't know
Background
ota_from_target_files