Many changes

15.1: Update CVE patchers
15.1: Add back automated build signing
14.1: Disable herolte (broken)
14.1: March 2018 Security Bulletin

Patches/LineageOS-15.1/android_build/0001-Automated_Build_Signing.patch

@@ -0,0 +1,100 @@
+From 3548eba76a04254a32fb16c3a39192aba8e4d187 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Thu, 8 Mar 2018 22:03:43 -0500
+Subject: [PATCH] Add optional automated signing
+
+Change-Id: If38730428255a0de3939dfe1a0526b03ac948113
+---
+ core/Makefile | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+diff --git a/core/Makefile b/core/Makefile
+index b3f719a4f..b48328394 100644
+--- a/core/Makefile
++++ b/core/Makefile
+@@ -520,6 +520,10 @@ $(call dist-for-goals,droidcore,$(SOONG_TO_CONVERT))
+ # exist with the suffixes ".x509.pem" and ".pk8".
+ DEFAULT_KEY_CERT_PAIR := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ 
++ifneq ($(SIGNING_KEY_DIR),)
++    KEY_CERT_DIR := $(SIGNING_KEY_DIR)
++    DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey
++endif
+ 
+ # Rules that need to be present for the all targets, even
+ # if they don't do anything.
+@@ -1220,6 +1224,16 @@ endif
+ # substitute other keys for this one.
+ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ 
++ifneq ($(SIGNING_KEY_DIR),)
++    OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem
++    PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra
++else
++    ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
++	OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
++	PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
++    endif
++endif
++
+ # Generate a file containing the keys that will be read by the
+ # recovery binary.
+ RECOVERY_INSTALL_OTA_KEYS := \
+@@ -2316,6 +2330,13 @@ $(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates)
+ $(BUILT_TARGET_FILES_PACKAGE): \
+ 		zip_root := $(intermediates)/$(name)
+ 
++SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip
++MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE)
++
++ifneq ($(SIGNING_KEY_DIR),)
++  MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE)
++endif
++
+ # $(1): Directory to copy
+ # $(2): Location to copy it to
+ # The "ls -A" is to prevent "acp s/* d" from failing if s is empty.
+@@ -2774,6 +2795,12 @@ else
+     OTA_SCRIPT_OVERRIDE_DEVICE := $(TARGET_OTA_ASSERT_DEVICE)
+ endif
+ 
++ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),)
++    SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks
++else
++    SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT)
++endif
++
+ ifeq ($(WITH_GMS),true)
+     $(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false
+ else
+@@ -2784,8 +2811,16 @@ else
+ endif
+ endif
+ 
+-$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) \
+-		build/tools/releasetools/ota_from_target_files
++$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE) build/tools/releasetools/ota_from_target_files
++	@echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path
++	@echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@"
++	$(hide) $(SIGN_TARGET_SCRIPT) \
++	   -d $(KEY_CERT_DIR) \
++	   -o \
++	   $(BUILT_TARGET_FILES_PACKAGE) \
++	   $(SIGNED_TARGET_FILES_PACKAGE)
++
++$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) build/tools/releasetools/ota_from_target_files
+ 	@echo "Package OTA: $@"
+ 	$(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH MKBOOTIMG=$(MKBOOTIMG) \
+ 	   ./build/tools/releasetools/ota_from_target_files -v \
+@@ -2795,7 +2830,7 @@ $(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) \
+ 	   -k $(KEY_CERT_PAIR) \
+ 	   --backup=$(backuptool) \
+ 	   $(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \
+-	   $(BUILT_TARGET_FILES_PACKAGE) $@
++	   $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@
+ 
+ .PHONY: otapackage
+ otapackage: $(INTERNAL_OTA_PACKAGE_TARGET)
+-- 
+2.16.2
+