Skip to content

Instantly share code, notes, and snippets.

@A2L5E0X1

A2L5E0X1/lineage-signing-builds.md

Last active June 25, 2024 07:34
Show Gist options
  • Save A2L5E0X1/54cb1b3a49030a9ebf8608b4e68073f5 to your computer and use it in GitHub Desktop.
Save A2L5E0X1/54cb1b3a49030a9ebf8608b4e68073f5 to your computer and use it in GitHub Desktop.
Download ZIP
Signing LineageOS builds with your own dev-keys
Raw
lineage-signing-builds.md

Generating dev-keys to sign android builds

All you need is an Android buildsystem (LineageOS is recommended)
NOTE: For Lineage 21 and newer, different steps are required.

PART 1: GENERATING KEYS

  1. Export your infos (replace examples with your infos)
subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'

C: Country shortform
ST: Country longform
L: Location (I used federal state)
O, OU, CN: Your Name
emailAddress: Your email
For example:

subject='/C=DE/ST=Germany/L=Berlin/O=Max Mustermann/OU=Max Mustermann/CN=Max Mustermann/emailAddress=max@mustermann.de'
  1. Generate the keys
mkdir ~/.android-certs

for x in releasekey platform shared media networkstack testkey cyngn-priv-app bluetooth sdk_sandbox verifiedboot; do \
    ./development/tools/make_key ~/.android-certs/$x "$subject"; \
done

Note:

  • cyngn-priv-app is only needed if building 14.1 and older.
  • bluetooth, sdk_sandbox and verifiedboot are needed since Android 13.
  • DO NOT set a password for the keys. If you do, you won't be able to use them for building!

PART 2: SETTING UP PRIVATE VENDOR REPO

  1. Create the vendor repo
mkdir vendor/extra

For Lineage 21 and newer:

mkdir vendor/lineage-priv
  1. Move your keys to the vendor repo
mv ~/.android-certs vendor/extra/keys

For Lineage 21 and newer:

mv ~/.android-certs vendor/lineage-priv/keys
  1. Create a makefile and add the following line
echo "PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/extra/keys/releasekey" > vendor/extra/product.mk

For Lineage 21 and newer:

echo "PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/lineage-priv/keys/releasekey" > vendor/lineage-priv/keys/keys.mk

A BUILD.bazel in vendor/lineage-priv/keys is also required for Lineage 21 and newer containing the following:

filegroup(
    name = "android_certificate_directory",
    srcs = glob([
        "*.pk8",
        "*.pem",
    ]),
    visibility = ["//visibility:public"],
)

You might also need this commit if you're not building Lineage.

Note: NEVER PUBLISH THIS VENDOR REPO, AS IT CONTAINS YOUR OWN SIGNATURE KEYS! IF YOU PUBLISH THEM, IT WILL HAVE THE SAME SECURITY RISKS AS BUILDING WITH TEST-KEYS!

PART 3: SIGNING YOUR BUILDS

  • Most roms (for example LineageOS) automatically includes vendor/extra/product.mk (or vendor/lineage-priv/keys/keys.mk in Lineage 21 or newer). If your rom doesn't, add -include vendor/extra/product.mk (or -include vendor/lineage-priv/keys/keys.mk) to your device tree.
  • When everything worked fine, your builds should be signed with dev-keys.

References and Credits

  • LineageOS Wiki
  • Linux4 for being a pro
  • bengris32 for additional steps in Lineage 21
@jayz1212
Copy link

jayz1212 commented Jun 4, 2024
edited
Loading

lineage 20 use -include vendor/extra/product.mk right? i get confused cause in their vendor common.mk it says -include vendor/lineage-priv/keys/keys.mk

@athanatos1
Copy link

athanatos1 commented Jun 7, 2024
edited
Loading

how to know if my build is signed? thanks

1000000427 Shows like this

Can you reupload the picture and also show us the step by step process command wise? I tried to do this guide on an older a13, evox rom and it didn't work at all with those payload signign steps. Also where in this guide does it include the steps to sign the APEX files with a 4096 RSA key?

@athanatos1
Copy link

athanatos1 commented Jun 7, 2024
edited
Loading

I have also attached an Ubuntu WSL log for evolution x a13 rom, maybe someone can spot why it doesn't get signed properly? When I boot into this rom, all the apps crash and there's no wifi or cell service.
EDIT: It won't let me upload a zip or txt file so here is a download of the log: https://file.io/OalJcyU0m7Jy
https://easyupload.io/b8sawl

@Joe7500
Copy link

Joe7500 commented Jun 8, 2024

I have also attached an Ubuntu WSL log for evolution x a13 rom, maybe someone can spot why it doesn't get signed properly? When I boot into this rom, all the apps crash and there's no wifi or cell service. EDIT: It won't let me upload a zip or txt file so here is a download of the log: https://file.io/OalJcyU0m7Jy https://easyupload.io/b8sawl

The end of the log shows the zip being signed with the provided key. Transitioning to a signed rom requires clean flash / format data, hence the apps crashing. 4096 might be too strong depending on the hardware.

@arsalan-zeus
Copy link

How I can sign the custom rom zip file which is already build without signing method?

@IT21037306
Copy link

How I can sign the custom rom zip file which is already build without signing method?

I'm not sure, But I think you have to rebuild the rom with keys

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment