Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Guide To Sign Android Build Update With Private Release Keys

Index

  1. Generating signing keys (Part 1)
  2. Generating signing keys (Part 2)
  3. Making signed build (recovery)
  4. Making signed build (fastboot)
  5. Making incremental update

Requirements

All you need is an android buildsystem (I would recommend you to use lineageos)

Generating signing keys (Part 1)

export subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'

C: Country shortform
ST: Country longform
L: Location
O, OU, CN: Your Name
emailAddress: Your email

For example:

export subject='/C=DE/ST=Germany/L=Berlin/O=Max Mustermann/OU=Max Mustermann/CN=Max Mustermann/emailAddress=max@mustermann.de'

Generating signing keys (Part 2)

mkdir ~/.android-certs

for x in releasekey platform shared media networkstack testkey bluetooth sdk_sandbox verifiedboot; do \
    ./development/tools/make_key ~/.android-certs/$x "$subject"; \
done

Note:

  • cyngn-priv-app is only needed if building 14.1 and older.
  • bluetooth, sdk_sandbox and verifiedboot are needed since Android 13.
  • DO NOT set a password for the keys. If you do, you won't be able to use them for building!
  • Store generated folder safely , I made a private GitHub repo to store it.
  • Do not leak this folder , then there is no difference bewteen unsigned and signed build.

Making signed build (recovery)

Make a unsigned build

. build/envsetup.sh
lunch lineage_(YOUR DEVICE)-(BUILD TYPE)
mka target-files-package otatools
or
m target-files-package otatools

Clone keys

mkdir -p ~/.android-certs
git clone (KEYS GITHUB LINK) -b main ~/.android-certs

Sign build

croot
sign_target_files_apks -o -d ~/.android-certs \
    $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip \
    signed-target_files.zip

Note:

  • This creates a zip named signed-target_files.zip in source dir.
ota_from_target_files -k ~/.android-certs/releasekey \
    --block --backup=true \
    signed-target_files.zip \
    signed-ota_update.zip

In some source it might give error , use:

ota_from_target_files -k ~/.android-certs/releasekey \
    --block \
    signed-target_files.zip \
    signed-ota_update.zip

Note:

signed-ota_update.zip is the required signed recovery zip.

  • This creates a zip named signed-ota_update.zip in source dir.
  • This zip can be flashed using recovery as a normal unsigned build.
  • Dont forget to do rm -rf ~/.android-certs.

Making signed build (fastboot)

croot
img_from_target_files signed-target_files.zip signed-img.zip

signed-img.zip is the required signed fastboot zip.

Note:

  • This creates a zip named signed-img.zip in source dir.
  • This zip can be flashed using fastbootd as fastboot update (PATH OF ZIP).

Making incremental update

Note:

  • This needs signed-target_files.zip from the previous build. If you don't have incremental cannot be made.
  • PREVIOUS-signed-target_files.zip - signed-target_files.zip from old build.
  • NEW-signed-target_files.zip - signed-target_files.zip from new build.
croot
ota_from_target_files -i PREVIOUS-signed-target_files.zip NEW-signed-target_files.zip incremental_ota_update.zip

incremental_ota_update.zip is the required incremental zip.

Note:

  • This creates a zip named incremental_ota_update.zip in source dir.
  • This zip can be flashed using recovery as a normal unsigned build.
  • User has to be on same build from which PREVIOUS-target_files.zip is being used.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment