Signing LineageOS builds with your own dev-keys

lineage-signing-builds.md

Generating dev-keys to sign android builds

All you need is an Android buildsystem (LineageOS is recommended)
NOTE: For Lineage 21 and newer, different steps are required.

PART 1: GENERATING KEYS

1. Export your infos (replace examples with your infos)

subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'

C: Country shortform
ST: Country longform
L: Location (I used federal state)
O, OU, CN: Your Name
emailAddress: Your email
For example:

subject='/C=DE/ST=Germany/L=Berlin/O=Max Mustermann/OU=Max Mustermann/CN=Max Mustermann/emailAddress=max@mustermann.de'

2. Generate the keys

mkdir ~/.android-certs

for x in releasekey platform shared media networkstack testkey cyngn-priv-app bluetooth sdk_sandbox verifiedboot; do \
    ./development/tools/make_key ~/.android-certs/$x "$subject"; \
done

Note:

• cyngn-priv-app is only needed if building 14.1 and older.
• bluetooth, sdk_sandbox and verifiedboot are needed since Android 13.
• DO NOT set a password for the keys. If you do, you won't be able to use them for building!

PART 2: SETTING UP PRIVATE VENDOR REPO

1. Create the vendor repo

mkdir vendor/extra

For Lineage 21 and newer:

mkdir vendor/lineage-priv

2. Move your keys to the vendor repo

mv ~/.android-certs vendor/extra/keys

For Lineage 21 and newer:

mv ~/.android-certs vendor/lineage-priv/keys

3. Create a makefile and add the following line

echo "PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/extra/keys/releasekey" > vendor/extra/product.mk

For Lineage 21 and newer:

echo "PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/lineage-priv/keys/releasekey" > vendor/lineage-priv/keys/keys.mk

A BUILD.bazel in vendor/lineage-priv/keys is also required for Lineage 21 and newer containing the following:

filegroup(
    name = "android_certificate_directory",
    srcs = glob([
        "*.pk8",
        "*.pem",
    ]),
    visibility = ["//visibility:public"],
)

You might also need this commit if you're not building Lineage.

Note: NEVER PUBLISH THIS VENDOR REPO, AS IT CONTAINS YOUR OWN SIGNATURE KEYS! IF YOU PUBLISH THEM, IT WILL HAVE THE SAME SECURITY RISKS AS BUILDING WITH TEST-KEYS!

PART 3: SIGNING YOUR BUILDS

• Most roms (for example LineageOS) automatically includes vendor/extra/product.mk (or vendor/lineage-priv/keys/keys.mk in Lineage 21 or newer). If your rom doesn't, add -include vendor/extra/product.mk (or -include vendor/lineage-priv/keys/keys.mk) to your device tree.
• When everything worked fine, your builds should be signed with dev-keys.

References and Credits

• LineageOS Wiki
• Linux4 for being a pro
• bengris32 for additional steps in Lineage 21

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

Nice 🤙

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

BUILD.bazel goes into the vendor repo.

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

Oops my bad, they're supposed to be in vendor/lineage-priv/keys. Let me fix the guide, thanks for telling!

is this works on Evolution xyz ?

hi, will it affect the build if you supply keys on both cp -R .android-certs vendor/extra/keys
cp -R .android-certs vendor/lineage-priv/keys? thanks

is this works on Evolution xyz ?

yes

Pro

big very pro pro max 2075 edition

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

BUILD.bazel goes into the vendor repo.

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

Oops my bad, they're supposed to be in vendor/lineage-priv/keys. Let me fix the guide, thanks for telling!

So the path of BUILD.bazel would be vendor/lineage-priv/keys ?

I saw some roms putting them into an entirely diff dir named signing😅

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

BUILD.bazel goes into the vendor repo.

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

Oops my bad, they're supposed to be in vendor/lineage-priv/keys. Let me fix the guide, thanks for telling!

So the path of BUILD.bazel would be vendor/lineage-priv/keys ?

I saw some roms putting them into an entirely diff dir named signing😅

They Support Sign with Private keys from source by default

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

BUILD.bazel goes into the vendor repo.

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

Oops my bad, they're supposed to be in vendor/lineage-priv/keys. Let me fix the guide, thanks for telling!

So the path of BUILD.bazel would be vendor/lineage-priv/keys ?
I saw some roms putting them into an entirely diff dir named signing😅

They Support Sign with Private keys from source by default

Well obv, but that wasn't my qns. I was asking about the function of the bazel file there

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

BUILD.bazel goes into the vendor repo.

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

Oops my bad, they're supposed to be in vendor/lineage-priv/keys. Let me fix the guide, thanks for telling!

So the path of BUILD.bazel would be vendor/lineage-priv/keys ?

I saw some roms putting them into an entirely diff dir named signing😅

Yes, or vendor/extra/keys, depending on what you're actually using.

actually

Ok thnkz for clarifying

shouldnt we need a BUILD file for bazel to recognize the dir as a package?

or did i misinterpret the use of it here?

how to know if my build is signed? thanks

how to know if my build is signed? thanks

Shows like this

how to know if my build is signed? thanks

Shows like this

thanks

how to know if my build is signed? thanks

Shows like this

what command should i use? is it m bacon or mka target-files-package otatools? thanks

what command should i use? is it m bacon or mka target-files-package otatools? thanks

just make bacon as before, the created zip file will sign with dev keys.

what command should i use? is it m bacon or mka target-files-package otatools? thanks

just make bacon as before, the created zip file will sign with dev keys.

thanks

Pro+

Pro cat deb

pro cat 2024 plus edition XR

Pro+

Pro cat deb

pro vayu deb

lineage 20 use -include vendor/extra/product.mk right? i get confused cause in their vendor common.mk it says -include vendor/lineage-priv/keys/keys.mk

how to know if my build is signed? thanks

Shows like this

Can you reupload the picture and also show us the step by step process command wise? I tried to do this guide on an older a13, evox rom and it didn't work at all with those payload signign steps. Also where in this guide does it include the steps to sign the APEX files with a 4096 RSA key?

I have also attached an Ubuntu WSL log for evolution x a13 rom, maybe someone can spot why it doesn't get signed properly? When I boot into this rom, all the apps crash and there's no wifi or cell service.
EDIT: It won't let me upload a zip or txt file so here is a download of the log: https://file.io/OalJcyU0m7Jy
https://easyupload.io/b8sawl

I have also attached an Ubuntu WSL log for evolution x a13 rom, maybe someone can spot why it doesn't get signed properly? When I boot into this rom, all the apps crash and there's no wifi or cell service. EDIT: It won't let me upload a zip or txt file so here is a download of the log: https://file.io/OalJcyU0m7Jy https://easyupload.io/b8sawl

The end of the log shows the zip being signed with the provided key. Transitioning to a signed rom requires clean flash / format data, hence the apps crashing. 4096 might be too strong depending on the hardware.

How I can sign the custom rom zip file which is already build without signing method?

How I can sign the custom rom zip file which is already build without signing method?

I'm not sure, But I think you have to rebuild the rom with keys