Future proofing keys

Scripts/Common/Functions.sh

@@ -180,6 +180,7 @@ processRelease() {
 		"${VERITY_SWITCHES[@]}" \
 		$OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip \
 		$OUT_DIR/$PREFIX-target_files.zip;
+	sha512sum $OUT_DIR/$PREFIX-target_files.zip > $OUT_DIR/$PREFIX-target_files.zip.sha512sum;
 	local INCREMENTAL_ID=$(grep "ro.build.version.incremental" $OUT_DIR/system/build.prop | cut -f2 -d "=" | sed 's/\.//g');
 	echo $INCREMENTAL_ID > $OUT_DIR/$PREFIX-target_files.zip.id;
 
@@ -188,7 +189,7 @@ processRelease() {
 		echo -e "\e[0;32mCreating fastboot image\e[0m";
 		build/tools/releasetools/img_from_target_files $OUT_DIR/$PREFIX-target_files.zip \
 			$OUT_DIR/$PREFIX-img.zip || exit 1;
-		md5sum $OUT_DIR/$PREFIX-img.zip > $OUT_DIR/$PREFIX-img.zip.md5sum;
+		sha512sum $OUT_DIR/$PREFIX-img.zip > $OUT_DIR/$PREFIX-img.zip.sha512sum;
 	fi
 
 	#OTA
@@ -197,6 +198,7 @@ processRelease() {
 		$OUT_DIR/$PREFIX-target_files.zip  \
 		$OUT_DIR/$PREFIX-ota.zip;
 	md5sum $OUT_DIR/$PREFIX-ota.zip > $OUT_DIR/$PREFIX-ota.zip.md5sum;
+	sha512sum $OUT_DIR/$PREFIX-ota.zip > $OUT_DIR/$PREFIX-ota.zip.sha512sum;
 
 	#Deltas
 	if [ "$DOS_GENERATE_DELTAS" = true ]; then
@@ -209,6 +211,7 @@ processRelease() {
 					$OUT_DIR/$PREFIX-target_files.zip \
 					$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip;
 				md5sum $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip > $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip.md5sum;
+				sha512sum $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip > $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip.sha512sum;
 			fi;
 		done;
 	fi;

Scripts/Generate_Signing_Keys.sh

@@ -4,19 +4,30 @@
 
 type='rsa'; #Options: rsa, ec
 
-#make -j20 generate_verity_key;
+#breakfast lineage_sailfish-user && make -j20 generate_verity_key;
 
-cd "$DOS_SIGNING_KEYS";
+cd "$DOS_SIGNING_KEYS/NEW";
 mkdir $1; cd $1;
+
 desc="/O=Divested Computing Group/CN=DivestOS for $1/emailAddress=support@divestos.org";
+
+sed -i '/blank for none/,+1 d' "$DOS_BUILD_BASE"/development/tools/make_key;
+#sed -i 's/2048/4096/' "$DOS_BUILD_BASE"/development/tools/make_key;
 "$DOS_BUILD_BASE"/development/tools/make_key extra "$desc" "$type";
+"$DOS_BUILD_BASE"/development/tools/make_key future-1 "$desc" "$type";
+"$DOS_BUILD_BASE"/development/tools/make_key future-2 "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key media "$desc" "$type";
+"$DOS_BUILD_BASE"/development/tools/make_key networkstack "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key platform "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key releasekey "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key shared "$desc" "$type";
+
+sed -i 's/4096/2048/' "$DOS_BUILD_BASE"/development/tools/make_key;
 "$DOS_BUILD_BASE"/development/tools/make_key verity "$desc" "$type";
 "$DOS_BUILD_BASE"/out/host/linux-x86/bin/generate_verity_key -convert verity.x509.pem verity_key;
 openssl x509 -outform der -in verity.x509.pem -out verifiedboot_relkeys.der.x509;
-openssl genrsa -out avb.pem 2048;
+
+openssl genrsa -out avb.pem 2048; #or 4096
 "$DOS_BUILD_BASE"/external/avb/avbtool extract_public_key --key avb.pem --output avb_pkmd.bin;
+
 cd "$DOS_BUILD_BASE";

Scripts/LineageOS-11.0/Patch.sh

@@ -99,6 +99,7 @@ enterAndClear "packages/apps/Trebuchet";
 sed -i 's/mCropView.setTouchEnabled(touchEnabled);/mCropView.setTouchEnabled(true);/' WallpaperPicker/src/com/android/launcher3/WallpaperCropActivity.java;
 
 enterAndClear "system/core";
+sed -i 's/!= 2048/>= 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)
 

Scripts/LineageOS-14.1/Patch.sh

@@ -157,6 +157,7 @@ patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle
 patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
 
 enterAndClear "system/core";
+sed -i 's/!= 2048/>= 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f2cd81645b15f; #Always update recovery XXX: This doesn't seem to work
 patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)

Scripts/LineageOS-15.1/Patch.sh

@@ -65,6 +65,7 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio
 
 enterAndClear "bootable/recovery";
 git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity
+sed -i 's/!= 2048/>= 2048/' tools/dumpkey/DumpPublicKey.java; #Allow 4096-bit keys
 
 enterAndClear "build/make";
 patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification

Scripts/LineageOS-16.0/Patch.sh

@@ -66,6 +66,7 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio
 enterAndClear "bootable/recovery";
 git revert 4d361ff13b5bd61d5a6a5e95063b24b8a37a24ab 37d729bf; #fix sideload
 git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity
+sed -i 's/!= 2048/>= 2048/' tools/dumpkey/DumpPublicKey.java; #Allow 4096-bit keys
 
 enterAndClear "build/make";
 git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files

Scripts/init.sh

@@ -19,7 +19,7 @@
 
 #START OF USER CONFIGURABLE OPTIONS
 export DOS_WORKSPACE_ROOT="/mnt/Drive-3/"; #XXX: THIS MUST BE CORRECT TO BUILD!
-export DOS_SIGNING_KEYS=$DOS_WORKSPACE_ROOT"Signing_Keys";
+export DOS_SIGNING_KEYS=$DOS_WORKSPACE_ROOT"Signing_Keys/2048";
 #export DOS_BINARY_PATCHER="";
 #export DOS_TOR_WRAPPER="torsocks"; #Uncomment to perform select build operations over Tor