Skip to content

Instantly share code, notes, and snippets.

Last active October 22, 2021 01:08
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Lineage Cheeseburger secure build

A secure LineageOS Chesseburger build

  • user build instead of userdebug build
  • all signing keys are private keys
  • use LineageOS recovery


Use Debian 11 and install these packages. You need ~300 GB available space.

apt-get install bc bison build-essential ccache curl flex g++-multilib gcc-multilib git gnupg gperf imagemagick lib32ncurses5-dev lib32readline-dev lib32z1-dev liblz4-tool libncurses5 libncurses5-dev libsdl1.2-dev libssl-dev libxml2 libxml2-utils lzop pngcrush rsync schedtool squashfs-tools xsltproc zip zlib1g-dev fastboot adb libwxgtk3.0-gtk3-dev repo python3-protobuf brotli unzip


mkdir -p android/lineage ~/.android-certs/
cd android/lineage
repo init -u -b lineage-17.1
repo sync

echo "Dont set a password for the verity key"
subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/'
for x in releasekey platform shared media networkstack testkey verity; do
        # $ANDROID_BUILD_TOP/development/tools/make_key
        development/tools/make_key ~/.android-certs/"$x" "$subject"

source build/
echo "Extract cheeseburger blob, see:"
tar xf ~/cheeseburger_blob_clean.tar -C vendor/
breakfast lineage_cheeseburger-user

mka generate_verity_key
# $ANDROID_HOST_OUT/bin/generate_verity_key
out/host/linux-x86/bin/generate_verity_key -convert ~/.android-certs/verity.x509.pem ~/.android-certs/verity

# remove key to be sure to not use it
rm vendor/lineage/build/target/product/security/lineage.x509.pem
# Add releasekey to recovery, to be able to update via sideload
mkdir -p vendor/lineage-priv/keys/
echo "PRODUCT_EXTRA_RECOVERY_KEYS := " > vendor/lineage-priv/keys/
echo "PRODUCT_OTA_PUBLIC_KEYS := ${HOME}/.android-certs/releasekey.x509.pem" >> vendor/lineage-priv/keys/
cp ~/.android-certs/verity.x509.pem kernel/oneplus/msm8998/certs/verity.x509.pem

ccache -M 50G
mka target-files-package otatools
./build/tools/releasetools/sign_target_files_apks -o --default_key_mappings ~/.android-certs --replace_verity_public_key ~/.android-certs/ --replace_verity_private_key ~/.android-certs/verity --replace_verity_keyid ~/.android-certs/verity.x509.pem $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip
./build/tools/releasetools/ota_from_target_files -k ~/.android-certs/releasekey --block --backup=true
ls $OUT/recovery.img

Additional info

Update recovery

To update the recovery you can set the option persist.sys.recovery_update=true

echo "PRODUCT_PROPERTY_OVERRIDES += persist.sys.recovery_update=true" >> vendor/lineage-priv/keys/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment