Our QA and testing .apks are signed with a key per build
For every .apk build we do a
keytool -genkey -v -keystore qa.keystore -storepass android -alias androidqakey -keypass android -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=Android Tor QA,O=Tor,C=US"
which
a) results in differences between the resulting .apk files defeating our reproducible builds goal and
b) results in a hassle testing those .apk files by trying to overwrite an older installation: the keys must be the same, otherwise the app would not get installed over the already available one.