Future proofing keys

This commit is contained in:
Tad 2019-09-25 13:21:47 -04:00
parent ca734124f9
commit a0e8f9653c
7 changed files with 23 additions and 5 deletions

View File

@ -180,6 +180,7 @@ processRelease() {
"${VERITY_SWITCHES[@]}" \
$OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip \
$OUT_DIR/$PREFIX-target_files.zip;
sha512sum $OUT_DIR/$PREFIX-target_files.zip > $OUT_DIR/$PREFIX-target_files.zip.sha512sum;
local INCREMENTAL_ID=$(grep "ro.build.version.incremental" $OUT_DIR/system/build.prop | cut -f2 -d "=" | sed 's/\.//g');
echo $INCREMENTAL_ID > $OUT_DIR/$PREFIX-target_files.zip.id;
@ -188,7 +189,7 @@ processRelease() {
echo -e "\e[0;32mCreating fastboot image\e[0m";
build/tools/releasetools/img_from_target_files $OUT_DIR/$PREFIX-target_files.zip \
$OUT_DIR/$PREFIX-img.zip || exit 1;
md5sum $OUT_DIR/$PREFIX-img.zip > $OUT_DIR/$PREFIX-img.zip.md5sum;
sha512sum $OUT_DIR/$PREFIX-img.zip > $OUT_DIR/$PREFIX-img.zip.sha512sum;
fi
#OTA
@ -197,6 +198,7 @@ processRelease() {
$OUT_DIR/$PREFIX-target_files.zip \
$OUT_DIR/$PREFIX-ota.zip;
md5sum $OUT_DIR/$PREFIX-ota.zip > $OUT_DIR/$PREFIX-ota.zip.md5sum;
sha512sum $OUT_DIR/$PREFIX-ota.zip > $OUT_DIR/$PREFIX-ota.zip.sha512sum;
#Deltas
if [ "$DOS_GENERATE_DELTAS" = true ]; then
@ -209,6 +211,7 @@ processRelease() {
$OUT_DIR/$PREFIX-target_files.zip \
$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip;
md5sum $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip > $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip.md5sum;
sha512sum $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip > $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip.sha512sum;
fi;
done;
fi;

View File

@ -4,19 +4,30 @@
type='rsa'; #Options: rsa, ec
#make -j20 generate_verity_key;
#breakfast lineage_sailfish-user && make -j20 generate_verity_key;
cd "$DOS_SIGNING_KEYS";
cd "$DOS_SIGNING_KEYS/NEW";
mkdir $1; cd $1;
desc="/O=Divested Computing Group/CN=DivestOS for $1/emailAddress=support@divestos.org";
sed -i '/blank for none/,+1 d' "$DOS_BUILD_BASE"/development/tools/make_key;
#sed -i 's/2048/4096/' "$DOS_BUILD_BASE"/development/tools/make_key;
"$DOS_BUILD_BASE"/development/tools/make_key extra "$desc" "$type";
"$DOS_BUILD_BASE"/development/tools/make_key future-1 "$desc" "$type";
"$DOS_BUILD_BASE"/development/tools/make_key future-2 "$desc" "$type";
"$DOS_BUILD_BASE"/development/tools/make_key media "$desc" "$type";
"$DOS_BUILD_BASE"/development/tools/make_key networkstack "$desc" "$type";
"$DOS_BUILD_BASE"/development/tools/make_key platform "$desc" "$type";
"$DOS_BUILD_BASE"/development/tools/make_key releasekey "$desc" "$type";
"$DOS_BUILD_BASE"/development/tools/make_key shared "$desc" "$type";
sed -i 's/4096/2048/' "$DOS_BUILD_BASE"/development/tools/make_key;
"$DOS_BUILD_BASE"/development/tools/make_key verity "$desc" "$type";
"$DOS_BUILD_BASE"/out/host/linux-x86/bin/generate_verity_key -convert verity.x509.pem verity_key;
openssl x509 -outform der -in verity.x509.pem -out verifiedboot_relkeys.der.x509;
openssl genrsa -out avb.pem 2048;
openssl genrsa -out avb.pem 2048; #or 4096
"$DOS_BUILD_BASE"/external/avb/avbtool extract_public_key --key avb.pem --output avb_pkmd.bin;
cd "$DOS_BUILD_BASE";

View File

@ -99,6 +99,7 @@ enterAndClear "packages/apps/Trebuchet";
sed -i 's/mCropView.setTouchEnabled(touchEnabled);/mCropView.setTouchEnabled(true);/' WallpaperPicker/src/com/android/launcher3/WallpaperCropActivity.java;
enterAndClear "system/core";
sed -i 's/!= 2048/>= 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden_Mounts.patch"; #Harden mounts with nodev/noexec/nosuid (CopperheadOS-13.0)

View File

@ -157,6 +157,7 @@ patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle
patch -p1 < "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
enterAndClear "system/core";
sed -i 's/!= 2048/>= 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f2cd81645b15f; #Always update recovery XXX: This doesn't seem to work
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)

View File

@ -65,6 +65,7 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio
enterAndClear "bootable/recovery";
git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity
sed -i 's/!= 2048/>= 2048/' tools/dumpkey/DumpPublicKey.java; #Allow 4096-bit keys
enterAndClear "build/make";
patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification

View File

@ -66,6 +66,7 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio
enterAndClear "bootable/recovery";
git revert 4d361ff13b5bd61d5a6a5e95063b24b8a37a24ab 37d729bf; #fix sideload
git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity
sed -i 's/!= 2048/>= 2048/' tools/dumpkey/DumpPublicKey.java; #Allow 4096-bit keys
enterAndClear "build/make";
git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files

View File

@ -19,7 +19,7 @@
#START OF USER CONFIGURABLE OPTIONS
export DOS_WORKSPACE_ROOT="/mnt/Drive-3/"; #XXX: THIS MUST BE CORRECT TO BUILD!
export DOS_SIGNING_KEYS=$DOS_WORKSPACE_ROOT"Signing_Keys";
export DOS_SIGNING_KEYS=$DOS_WORKSPACE_ROOT"Signing_Keys/2048";
#export DOS_BINARY_PATCHER="";
#export DOS_TOR_WRAPPER="torsocks"; #Uncomment to perform select build operations over Tor