The official microG OS project (https://lineage.microg.org/) leaked their private keys for logging into their servers and signing releases:

https://github.com/lineageos4microg/l4m-wiki/wiki/December-2025-security-issues

We make our official builds on local machines. Our signing machine’s keys aren’t ever on any storage unencrypted.

Our roadmap for improving security of verifying updates is based on taking advantage of the reproducible builds. We plan to have multiple official build locations and a configurable signoff verification system in the update clients also usable with third party signoff providers.

We don’t have faith in any available commercial HSM products being more secure than keeping keys encrypted at rest on the primary local build machine. Instead, we’re planning to develop software for using the secure element on GrapheneOS phones as an HSM for signing our releases.