Certificate Authority store updates

- Remove some untrustworthy CAs - Update CA store for all branches to aosp/e302aa968334b3c3fc9cd709a7c7661e0cf534eb Signed-off-by: Tad <tad@spotco.us>
2025-05-02 06:26:20 -04:00 · 2023-06-17 14:50:49 -04:00 · 2023-06-17 14:50:49 -04:00 · cda898f141
commit cda898f141
parent 41e2669884
138 changed files with 11880 additions and 2 deletions
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@ -442,6 +442,15 @@ removeBuildFingerprints() {
 }
 export -f removeBuildFingerprints;

+removeUntrustedCerts() {
+	cd "$DOS_BUILD_BASE/system/ca-certificates/files";
+	rm -fv 7c302982.0 c2c1704e.0 d0cddf45.0; #TrustCor
+	rm -fv cb156124.0; #E-Turga
+	cd "$DOS_BUILD_BASE";
+	echo "Removed untrusted certificate authorities";
+}
+export -f removeUntrustedCerts;
+
 compressRamdisks() {
 	if [ -f BoardConfig.mk ]; then
 		echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@ -470,6 +470,11 @@ applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rs
 applyPatch "$DOS_PATCHES/android_system_bt/0001-NO_READENCRKEYSIZE.patch"; #Add an option to let devices opt-out of the HCI_READ_ENCR_KEY_SIZE_SUPPORTED assert (DivestOS)
 fi;

+if enterAndClear "system/ca-certificates"; then
+rm -rf files; #Remove old certs
+cp -r "$DOS_PATCHES_COMMON/android_system_ca-certificates/files" .; #Copy the new ones into place
+fi;
+
 if enterAndClear "system/core"; then
 applyPatch "$DOS_PATCHES/android_system_core/332457.patch"; #n-asb-2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
@ -615,6 +620,7 @@ deblobAudio;
 removeBuildFingerprints;
 hardenLocationSerials || true;
 changeDefaultDNS; #Change the default DNS servers
+removeUntrustedCerts || true;

 #Tweaks for <2GB RAM devices
 enableLowRam "device/asus/grouper";
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@ -418,6 +418,11 @@ applyPatch "$DOS_PATCHES/android_system_bt/358581-backport.patch"; #R_asb_2023-0
 applyPatch "$DOS_PATCHES/android_system_bt/358582.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
 fi;

+if enterAndClear "system/ca-certificates"; then
+rm -rf files; #Remove old certs
+cp -r "$DOS_PATCHES_COMMON/android_system_ca-certificates/files" .; #Copy the new ones into place
+fi;
+
 if enterAndClear "system/core"; then
 applyPatch "$DOS_PATCHES/android_system_core/332765.patch"; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host.
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
@ -519,6 +524,7 @@ deblobAudio;
 removeBuildFingerprints;
 hardenLocationSerials || true;
 changeDefaultDNS; #Change the default DNS servers
+removeUntrustedCerts || true;

 #Tweaks for <2GB RAM devices
 enableLowRam "device/asus/fugu";
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -351,6 +351,11 @@ applyPatch "$DOS_PATCHES/android_system_bt/358582.patch"; #R_asb_2023-06 Revert
 #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 fi;

+if enterAndClear "system/ca-certificates"; then
+rm -rf files; #Remove old certs
+cp -r "$DOS_PATCHES_COMMON/android_system_ca-certificates/files" .; #Copy the new ones into place
+fi;
+
 if enterAndClear "system/core"; then
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert --no-edit b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update recovery
@ -432,6 +437,7 @@ removeBuildFingerprints;
 hardenLocationSerials || true;
 changeDefaultDNS; #Change the default DNS servers
 fixupCarrierConfigs || true; #Remove silly carrier restrictions
+removeUntrustedCerts || true;
 cd "$DOS_BUILD_BASE";

 #Tweaks for <2GB RAM devices
--- a/Scripts/LineageOS-17.1/Patch.sh
+++ b/Scripts/LineageOS-17.1/Patch.sh
@ -368,6 +368,11 @@ applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add a
 #applyPatch "$DOS_PATCHES/android_system_bt/272650.patch"; #ten-bt-sbc-hd-dualchannel: Allow using alternative (higher) SBC HD bitrates with a property (ValdikSS)
 fi;

+if enterAndClear "system/ca-certificates"; then
+rm -rf files; #Remove old certs
+cp -r "$DOS_PATCHES_COMMON/android_system_ca-certificates/files" .; #Copy the new ones into place
+fi;
+
 if enterAndClear "system/core"; then
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert --no-edit 3032c7aa5ce90c0ae9c08fe271052c6e0304a1e7 01266f589e6deaef30b782531ae14435cdd2f18e; #insanity
@ -501,6 +506,7 @@ hardenLocationSerials || true;
 enableAutoVarInit || true;
 changeDefaultDNS; #Change the default DNS servers
 fixupCarrierConfigs || true; #Remove silly carrier restrictions
+removeUntrustedCerts || true;
 cd "$DOS_BUILD_BASE";
 #rm -rfv device/*/*/overlay/CarrierConfigResCommon device/*/*/rro_overlays/CarrierConfigOverlay device/*/*/overlay/packages/apps/CarrierConfig/res/xml/vendor.xml;

--- a/Scripts/LineageOS-18.1/Patch.sh
+++ b/Scripts/LineageOS-18.1/Patch.sh
@ -375,6 +375,11 @@ git am "$DOS_PATCHES/android_system_bt/a2dp-master-fixes.patch"; #topic (AOSP)
 applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 fi;

+if enterAndClear "system/ca-certificates"; then
+rm -rf files; #Remove old certs
+cp -r "$DOS_PATCHES_COMMON/android_system_ca-certificates/files" .; #Copy the new ones into place
+fi;
+
 if enterAndClear "system/core"; then
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert --no-edit e8dcabaf6b55ec55eb73c4585501ddbafc04fc9b 79f606ece6b74652d374eb4f79de309a0aa81360; #insanity
@ -568,6 +573,7 @@ hardenLocationSerials || true;
 enableAutoVarInit || true;
 changeDefaultDNS; #Change the default DNS servers
 fixupCarrierConfigs || true; #Remove silly carrier restrictions
+removeUntrustedCerts || true;
 cd "$DOS_BUILD_BASE";
 #rm -rfv device/*/*/overlay/CarrierConfigResCommon device/*/*/rro_overlays/CarrierConfigOverlay device/*/*/overlay/packages/apps/CarrierConfig/res/xml/vendor.xml;

--- a/Scripts/LineageOS-19.1/Patch.sh
+++ b/Scripts/LineageOS-19.1/Patch.sh
@ -384,6 +384,11 @@ if enterAndClear "system/bt"; then
 applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 fi;

+if enterAndClear "system/ca-certificates"; then
+rm -rf files; #Remove old certs
+cp -r "$DOS_PATCHES_COMMON/android_system_ca-certificates/files" .; #Copy the new ones into place
+fi;
+
 if enterAndClear "system/core"; then
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert --no-edit 07adb89d0f8c966c88869d1abffc57da0e707568; #insanity
@ -483,6 +488,7 @@ hardenLocationSerials || true;
 enableAutoVarInit || true;
 changeDefaultDNS; #Change the default DNS servers
 fixupCarrierConfigs || true; #Remove silly carrier restrictions
+removeUntrustedCerts || true;
 cd "$DOS_BUILD_BASE";
 #rm -rfv device/*/*/overlay/CarrierConfigResCommon device/*/*/rro_overlays/CarrierConfigOverlay device/*/*/overlay/packages/apps/CarrierConfig/res/xml/vendor.xml;

--- a/Scripts/LineageOS-20.0/Patch.sh
+++ b/Scripts/LineageOS-20.0/Patch.sh
@ -382,6 +382,11 @@ fi;
 #cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/latest_carrier_id/;
 #fi;

+if enterAndClear "system/ca-certificates"; then
+rm -rf files; #Remove old certs
+cp -r "$DOS_PATCHES_COMMON/android_system_ca-certificates/files" .; #Copy the new ones into place
+fi;
+
 if enterAndClear "system/core"; then
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
 git revert --no-edit 7e2eeae6244ed16c2602480207659ebf0e21674a; #insanity
@ -520,6 +525,7 @@ hardenLocationSerials || true;
 enableAutoVarInit || true;
 changeDefaultDNS; #Change the default DNS servers
 fixupCarrierConfigs || true; #Remove silly carrier restrictions
+removeUntrustedCerts || true;
 cd "$DOS_BUILD_BASE";
 #rm -rfv device/*/*/overlay/CarrierConfigResCommon device/*/*/rro_overlays/CarrierConfigOverlay device/*/*/overlay/packages/apps/CarrierConfig/res/xml/vendor.xml;

--- a/Scripts/Update_Commons.sh
+++ b/Scripts/Update_Commons.sh
@ -29,11 +29,15 @@ wget "https://github.com/LineageOS/android_packages_apps_LineageParts/raw/lineag

 #TODO: wireless-regdb
 #https://mirrors.edge.kernel.org/pub/software/network/wireless-regdb/
-#Last: 2023/05/24
+#Last: 2023/06/17

 #TODO: MMS Configs
 #https://github.com/GrapheneOS/platform_packages_apps_Messaging
-#Last: 2023/05/24
+#Last: 2023/06/17
+
+#TODO: CA store
+#https://android.googlesource.com/platform/system/ca-certificates
+#Last: 2023/06/17

 #TODO: Carrier List, unused
 #https://android.googlesource.com/platform/packages/providers/TelephonyProvider/