diff --git a/buildSrc/src/main/kotlin/ProjectConfig.kt b/buildSrc/src/main/kotlin/ProjectConfig.kt
index 5a4d5debc..d751e56a8 100644
--- a/buildSrc/src/main/kotlin/ProjectConfig.kt
+++ b/buildSrc/src/main/kotlin/ProjectConfig.kt
@@ -55,6 +55,6 @@ const val NEWPIPE_APPLICATION_ID_NEW = "net.newpipe.app"
 // vc=19 / 0.1.0-AE — rust pipeline cutover. Extraction via
 // strawcore-core (Sulkta-Coop/strawcore) via the UniFFI wrapper; no
 // NewPipeExtractor in the runtime path.
-const val STRAW_VERSION_CODE = 71
-const val STRAW_VERSION_NAME = "0.1.0-CE"
+const val STRAW_VERSION_CODE = 72
+const val STRAW_VERSION_NAME = "0.1.0-CF"
 const val STRAW_APPLICATION_ID = "com.sulkta.straw"
diff --git a/strawApp/build.gradle.kts b/strawApp/build.gradle.kts
index 13fbac20b..0c7b26286 100644
--- a/strawApp/build.gradle.kts
+++ b/strawApp/build.gradle.kts
@@ -38,6 +38,26 @@ configure<ApplicationExtension> {
         resValue("string", "app_name", "Straw")
     }
 
+    // Explicit signing so CI / release builds reuse ONE keystore instead of
+    // Gradle's per-machine auto-generated ~/.android/debug.keystore — a fresh
+    // CI container would otherwise mint a DIFFERENT key and break in-place
+    // updates for everyone on fdroid. Driven by env so local dev needs no
+    // setup (unset → Gradle's default debug signing):
+    //   STRAW_KEYSTORE_FILE — path to the keystore
+    //   STRAW_KEYSTORE_PASS / STRAW_KEY_ALIAS / STRAW_KEY_PASS — creds
+    // Vault: [Sulkta — Straw fdroid signing keystore (debug androiddebugkey)].
+    val strawKeystoreFile: String? = System.getenv("STRAW_KEYSTORE_FILE")
+    signingConfigs {
+        if (strawKeystoreFile != null) {
+            create("sulkta") {
+                storeFile = file(strawKeystoreFile)
+                storePassword = System.getenv("STRAW_KEYSTORE_PASS") ?: "android"
+                keyAlias = System.getenv("STRAW_KEY_ALIAS") ?: "androiddebugkey"
+                keyPassword = System.getenv("STRAW_KEY_PASS") ?: "android"
+            }
+        }
+    }
+
     buildTypes {
         // R8 enabled on BOTH variants — we publish the debug APK to
         // fdroid (com.sulkta.straw.debug) per the existing pipeline,
@@ -55,6 +75,11 @@ configure<ApplicationExtension> {
                 getDefaultProguardFile("proguard-android-optimize.txt"),
                 "proguard-rules.pro",
             )
+            // Reuse the canonical fdroid keystore in CI/release; fall back to
+            // Gradle's default debug keystore for local dev (env unset).
+            if (strawKeystoreFile != null) {
+                signingConfig = signingConfigs.getByName("sulkta")
+            }
         }
         release {
             isMinifyEnabled = true