diff --git a/.github/workflows/android-ci.yml b/.github/workflows/android-ci.yml
index ea46dc8..ba65ae2 100644
--- a/.github/workflows/android-ci.yml
+++ b/.github/workflows/android-ci.yml
@@ -12,6 +12,8 @@ env:
   APK_DEBUG: "app/build/outputs/apk/debug/app-debug.apk"
   APK_RELEASE: "app/build/outputs/apk/release/app-release-unsigned.apk"
   ARTIFACT_ROOT: "app/build/outputs"
+  ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
+  ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
 
 jobs:
   lint:
@@ -49,10 +51,15 @@ jobs:
         with:
           name: ${{ env.APP_TITLE }}-debug.apk
           path: ${{ env.ARTIFACT_ROOT }}/${{ env.APP_TITLE }}-debug.apk
+      - name: Decode keystore
+        run: |
+          echo "${{ secrets.ANDROID_KEYSTORE_BASE64 }}" | base64 --decode > release-key.jks
       - name: Build Release APK to make sure it works
         run: ./gradlew assembleRelease
       - name: Ensure release build is where we expect
         run: ls -l ${{ env.APK_RELEASE }} || { find ${{ env.ARTIFACT_ROOT }} ; exit 1 ; }
+      - name: Verify APK signature
+        run: jarsigner -verify -verbose -certs ${{ env.APK_RELEASE }}
 
   build-release:
     name: Build Release APK
@@ -65,8 +72,13 @@ jobs:
         with:
           java-version: '17'
           distribution: 'temurin'
+      - name: Decode keystore
+        run: |
+          echo "${{ secrets.ANDROID_KEYSTORE_BASE64 }}" | base64 --decode > release-key.jks
       - name: Build Release APK
         run: ./gradlew assembleRelease
+      - name: Verify APK signature
+        run: jarsigner -verify -verbose -certs ${{ env.APK_RELEASE }}
       - name: Rename APK
         run: mv ${{ env.APK_RELEASE }} ${{ env.ARTIFACT_ROOT }}/${{ env.APP_TITLE }}-release.apk
       - name: Upload Release APK to GitHub Releases
@@ -75,4 +87,3 @@ jobs:
           files: ${{ env.ARTIFACT_ROOT }}/${{ env.APP_TITLE }}-release.apk
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
diff --git a/app/build.gradle.kts b/app/build.gradle.kts
index 1c01729..d439666 100644
--- a/app/build.gradle.kts
+++ b/app/build.gradle.kts
@@ -18,8 +18,18 @@ android {
         testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
     }
 
+    signingConfigs {
+        release {
+            storeFile = file("release-key.jks")
+            storePassword = System.getenv("ANDROID_KEYSTORE_PASSWORD")
+            keyAlias = System.getenv("ANDROID_KEY_ALIAS")
+            keyPassword = System.getenv("ANDROID_KEYSTORE_PASSWORD") // Same password
+        }
+    }
+
     buildTypes {
         release {
+            signingConfig = signingConfigs.release
             isMinifyEnabled = true
             proguardFiles(
                 getDefaultProguardFile("proguard-android-optimize.txt"),
@@ -59,4 +69,4 @@ dependencies {
     androidTestImplementation(libs.androidx.ui.test.junit4)
     debugImplementation(libs.androidx.ui.tooling)
     debugImplementation(libs.androidx.ui.test.manifest)
-}
\ No newline at end of file
+}