diff --git a/Patches/Common/android_frameworks_base/0004-Fingerprint_Lockout.patch b/Patches/Common/android_frameworks_base/0004-Fingerprint_Lockout.patch new file mode 100644 index 00000000..bfef6465 --- /dev/null +++ b/Patches/Common/android_frameworks_base/0004-Fingerprint_Lockout.patch @@ -0,0 +1,22 @@ +From 18853bf3e04be75ec8f06d5cb5d40bfb19c6c79d Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Tue, 12 Sep 2017 01:52:11 -0400 +Subject: [PATCH] use permanent fingerprint lockout immediately + +--- + .../java/com/android/server/fingerprint/FingerprintService.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/fingerprint/FingerprintService.java b/services/core/java/com/android/server/fingerprint/FingerprintService.java +index 06329e571b4..7c7d7008172 100644 +--- a/services/core/java/com/android/server/fingerprint/FingerprintService.java ++++ b/services/core/java/com/android/server/fingerprint/FingerprintService.java +@@ -126,7 +126,7 @@ + private final AppOpsManager mAppOps; + private static final long FAIL_LOCKOUT_TIMEOUT_MS = 30*1000; + private static final int MAX_FAILED_ATTEMPTS_LOCKOUT_TIMED = 5; +- private static final int MAX_FAILED_ATTEMPTS_LOCKOUT_PERMANENT = 20; ++ private static final int MAX_FAILED_ATTEMPTS_LOCKOUT_PERMANENT = 5; + + private static final long CANCEL_TIMEOUT_LIMIT = 3000; // max wait for onCancel() from HAL,in ms + private final String mKeyguardPackage; diff --git a/Patches/LineageOS-11.0/android_build/1.patch b/Patches/LineageOS-11.0/android_build/1.patch deleted file mode 100644 index 828de3de..00000000 --- a/Patches/LineageOS-11.0/android_build/1.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 4eb4173b876ab4b4d71a5be541096d346649bbef Mon Sep 17 00:00:00 2001 -From: Daniel Micay -Date: Sat, 30 May 2015 22:47:50 -0400 -Subject: [PATCH] add optional automated signing - ---- - core/Makefile | 48 ++++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 40 insertions(+), 8 deletions(-) - -diff --git a/core/Makefile b/core/Makefile -index 7eca2db..82006c9 100644 ---- a/core/Makefile -+++ b/core/Makefile -@@ -408,6 +408,11 @@ ifneq ($(OTA_PACKAGE_SIGNING_KEY),) - DEFAULT_KEY_CERT_PAIR := $(OTA_PACKAGE_SIGNING_KEY) - endif - -+ifneq ($(SIGNING_KEY_DIR),) -+ KEY_CERT_DIR := $(SIGNING_KEY_DIR) -+ DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey -+endif -+ - # Rules that need to be present for the all targets, even - # if they don't do anything. - .PHONY: systemimage -@@ -943,13 +948,18 @@ endif - # substitute other keys for this one. - OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem - --ifneq ($(OTA_PACKAGE_SIGNING_KEY),) -- OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem -- PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) -+ifneq ($(SIGNING_KEY_DIR),) -+ OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem -+ PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra - else -- PRODUCT_EXTRA_RECOVERY_KEYS += \ -- build/target/product/security/cm \ -- build/target/product/security/cm-devkey -+ ifneq ($(OTA_PACKAGE_SIGNING_KEY),) -+ OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem -+ PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) -+ else -+ PRODUCT_EXTRA_RECOVERY_KEYS += \ -+ build/target/product/security/cm \ -+ build/target/product/security/cm-devkey -+ endif - endif - - # Generate a file containing the keys that will be read by the -@@ -1593,6 +1603,12 @@ BUILT_TARGET_FILES_PACKAGE := $(intermediates)/$(name).zip - $(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates) - $(BUILT_TARGET_FILES_PACKAGE): \ - zip_root := $(intermediates)/$(name) -+SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip -+MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE) -+ -+ifneq ($(SIGNING_KEY_DIR),) -+ MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE) -+endif - - # $(1): Directory to copy - # $(2): Location to copy it to -@@ -1868,6 +1884,12 @@ else - OTA_FROM_TARGET_SCRIPT := $(TARGET_RELEASETOOL_OTA_FROM_TARGET_SCRIPT) - endif - -+ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),) -+ SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks -+else -+ SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT) -+endif -+ - ifeq ($(WITH_GMS),true) - $(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false - else -@@ -1895,7 +1917,17 @@ ifneq ($(BLOCK_BASED_OTA),false) - $(INTERNAL_OTA_PACKAGE_TARGET): block_based := --block - endif - --$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS) -+$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS) -+ @echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path -+ @echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@" -+ $(hide) $(SIGN_TARGET_SCRIPT) \ -+ -d $(KEY_CERT_DIR) \ -+ -o \ -+ -e SMSSecure.apk,Orbot.apk,Android-IMSI-Catcher-Detector.apk,FreeOTP.apk,F-Droid.apk= \ -+ $(BUILT_TARGET_FILES_PACKAGE) \ -+ $(SIGNED_TARGET_FILES_PACKAGE) -+ -+$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $(DISTTOOLS) - @echo "$(OTA_FROM_TARGET_SCRIPT)" > $(PRODUCT_OUT)/ota_script_path - @echo "$(override_device)" > $(PRODUCT_OUT)/ota_override_device - @echo -e ${CL_YLW}"Package OTA:"${CL_RST}" $@" -@@ -1907,7 +1939,7 @@ $(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS) - --backup=$(backuptool) \ - --override_device=$(override_device) $(override_prop) \ - $(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \ -- $(BUILT_TARGET_FILES_PACKAGE) $@ -+ $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@ - - CM_TARGET_PACKAGE := $(PRODUCT_OUT)/cm-$(CM_VERSION).zip - diff --git a/Patches/LineageOS-15.1/android_build/0001-Automated_Build_Signing.patch b/Patches/LineageOS-15.1/android_build/0001-Automated_Build_Signing.patch deleted file mode 100644 index 0ea3a157..00000000 --- a/Patches/LineageOS-15.1/android_build/0001-Automated_Build_Signing.patch +++ /dev/null @@ -1,103 +0,0 @@ -From ca96d37d0d9d7fb74f6c72f74586f86f4b959d34 Mon Sep 17 00:00:00 2001 -From: Daniel Micay -Date: Tue, 3 Apr 2018 14:12:55 -0400 -Subject: [PATCH] Add optional automated signing - -Change-Id: I9ebd044c4c2f76688f7921b991055c57ec574986 ---- - core/Makefile | 42 +++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 39 insertions(+), 3 deletions(-) - -diff --git a/core/Makefile b/core/Makefile -index 1fb76cf44..034b5f791 100644 ---- a/core/Makefile -+++ b/core/Makefile -@@ -504,6 +504,10 @@ $(call dist-for-goals,droidcore,$(SOONG_TO_CONVERT)) - # exist with the suffixes ".x509.pem" and ".pk8". - DEFAULT_KEY_CERT_PAIR := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) - -+ifneq ($(SIGNING_KEY_DIR),) -+ KEY_CERT_DIR := $(SIGNING_KEY_DIR) -+ DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey -+endif - - # Rules that need to be present for the all targets, even - # if they don't do anything. -@@ -1204,6 +1208,16 @@ endif - # substitute other keys for this one. - OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem - -+ifneq ($(SIGNING_KEY_DIR),) -+ OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem -+ PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra -+else -+ ifneq ($(OTA_PACKAGE_SIGNING_KEY),) -+ OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem -+ PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) -+ endif -+endif -+ - # Generate a file containing the keys that will be read by the - # recovery binary. - RECOVERY_INSTALL_OTA_KEYS := \ -@@ -2300,6 +2314,13 @@ $(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates) - $(BUILT_TARGET_FILES_PACKAGE): \ - zip_root := $(intermediates)/$(name) - -+SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip -+MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE) -+ -+ifneq ($(SIGNING_KEY_DIR),) -+ MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE) -+endif -+ - # $(1): Directory to copy - # $(2): Location to copy it to - # The "ls -A" is to prevent "acp s/* d" from failing if s is empty. -@@ -2758,6 +2779,12 @@ else - OTA_SCRIPT_OVERRIDE_DEVICE := $(TARGET_OTA_ASSERT_DEVICE) - endif - -+ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),) -+ SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks -+else -+ SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT) -+endif -+ - ifeq ($(WITH_GMS),true) - $(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false - else -@@ -2768,18 +2795,27 @@ else - endif - endif - --$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) \ -+$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE) \ -+ build/tools/releasetools/sign_target_files_apks -+ @echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path -+ @echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@" -+ $(hide) $(SIGN_TARGET_SCRIPT) \ -+ -d $(KEY_CERT_DIR) \ -+ -o \ -+ $(BUILT_TARGET_FILES_PACKAGE) \ -+ $(SIGNED_TARGET_FILES_PACKAGE) -+ -+$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) \ - build/tools/releasetools/ota_from_target_files - @echo "Package OTA: $@" - $(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH MKBOOTIMG=$(MKBOOTIMG) \ - ./build/tools/releasetools/ota_from_target_files -v \ - --block \ -- --extracted_input_target_files $(patsubst %.zip,%,$(BUILT_TARGET_FILES_PACKAGE)) \ - -p $(HOST_OUT) \ - -k $(KEY_CERT_PAIR) \ - --backup=$(backuptool) \ - $(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \ -- $(BUILT_TARGET_FILES_PACKAGE) $@ -+ $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@ - - .PHONY: otapackage - otapackage: $(INTERNAL_OTA_PACKAGE_TARGET) --- -2.16.3 - diff --git a/Patches/LineageOS-16.0/android_build/0001-Automated_Build_Signing.patch b/Patches/LineageOS-16.0/android_build/0001-Automated_Build_Signing.patch deleted file mode 100644 index f14f679a..00000000 --- a/Patches/LineageOS-16.0/android_build/0001-Automated_Build_Signing.patch +++ /dev/null @@ -1,103 +0,0 @@ -From b5ad740f0a0930081b8056eaf6e83873fa0b41ef Mon Sep 17 00:00:00 2001 -From: Daniel Micay -Date: Tue, 3 Apr 2018 14:12:55 -0400 -Subject: [PATCH] Add optional automated signing - -Change-Id: I9ebd044c4c2f76688f7921b991055c57ec574986 ---- - core/Makefile | 42 +++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 39 insertions(+), 3 deletions(-) - -diff --git a/core/Makefile b/core/Makefile -index 9498b47d4..a99677116 100644 ---- a/core/Makefile -+++ b/core/Makefile -@@ -612,6 +612,10 @@ $(call dist-for-goals,droidcore,$(PGO_PROFILE_MISSING)) - # exist with the suffixes ".x509.pem" and ".pk8". - DEFAULT_KEY_CERT_PAIR := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) - -+ifneq ($(SIGNING_KEY_DIR),) -+ KEY_CERT_DIR := $(SIGNING_KEY_DIR) -+ DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey -+endif - - # Rules that need to be present for the all targets, even - # if they don't do anything. -@@ -1412,6 +1416,16 @@ endif - # substitute other keys for this one. - OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem - -+ifneq ($(SIGNING_KEY_DIR),) -+ OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem -+ PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra -+else -+ ifneq ($(OTA_PACKAGE_SIGNING_KEY),) -+ OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem -+ PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) -+ endif -+endif -+ - # Generate a file containing the keys that will be read by the - # recovery binary. - RECOVERY_INSTALL_OTA_KEYS := \ -@@ -2682,6 +2696,13 @@ $(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates) - $(BUILT_TARGET_FILES_PACKAGE): \ - zip_root := $(intermediates)/$(name) - -+SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip -+MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE) -+ -+ifneq ($(SIGNING_KEY_DIR),) -+ MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE) -+endif -+ - # $(1): Directory to copy - # $(2): Location to copy it to - # The "ls -A" is to prevent "acp s/* d" from failing if s is empty. -@@ -3148,6 +3169,12 @@ else - OTA_SCRIPT_OVERRIDE_DEVICE := $(TARGET_OTA_ASSERT_DEVICE) - endif - -+ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),) -+ SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks -+else -+ SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT) -+endif -+ - ifeq ($(WITH_GMS),true) - $(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false - else -@@ -3158,18 +3185,27 @@ else - endif - endif - --$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) \ -+$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE) \ -+ build/tools/releasetools/sign_target_files_apks -+ @echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path -+ @echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@" -+ $(hide) $(SIGN_TARGET_SCRIPT) \ -+ -d $(KEY_CERT_DIR) \ -+ -o \ -+ $(BUILT_TARGET_FILES_PACKAGE) \ -+ $(SIGNED_TARGET_FILES_PACKAGE) -+ -+$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) \ - build/make/tools/releasetools/ota_from_target_files - @echo "Package OTA: $@" - $(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH MKBOOTIMG=$(MKBOOTIMG) \ - build/make/tools/releasetools/ota_from_target_files -v \ - --block \ -- --extracted_input_target_files $(patsubst %.zip,%,$(BUILT_TARGET_FILES_PACKAGE)) \ - -p $(HOST_OUT) \ - -k $(KEY_CERT_PAIR) \ - --backup=$(backuptool) \ - $(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \ -- $(BUILT_TARGET_FILES_PACKAGE) $@ -+ $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@ - - .PHONY: otapackage - otapackage: $(INTERNAL_OTA_PACKAGE_TARGET) --- -2.20.1 - diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index 308ace32..aa7e0a86 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -140,6 +140,39 @@ audit2allowADB() { } export -f audit2allowADB; +signRelease() { + #https://github.com/GrapheneOS/script/blob/pie/release.sh + DEVICE=$1; + VERITY=$2; + + DATE=$(date '+%Y%m%d') + KEY_DIR=$DOS_SIGNING_KEYS; + PREFIX="lineage_"; + VERSION=$(echo $DOS_VERSION | cut -f2 -d "-"); + TARGET_FILES=divested-$VERSION-$DATE-dos-$DEVICE-target_files.zip; + + if [ "$VERITY" = true ]; then + VERITY_SWITCHES=(--replace_verity_public_key "$KEY_DIR/verity_key.pub" \ + --replace_verity_private_key "$KEY_DIR/verity" \ + --replace_verity_keyid "$KEY_DIR/verity.x509.pem"); + fi; + + build/tools/releasetools/sign_target_files_apks -o -d "$KEY_DIR" \ + "${VERITY_SWITCHES[@]}" \ + out/target/product/$DEVICE/obj/PACKAGING/target_files_intermediates/$PREFIX$DEVICE-target_files-*.zip \ + $OUT/$TARGET_FILES; + + build/tools/releasetools/ota_from_target_files --block -k "$KEY_DIR/releasekey" \ + $OUT/$TARGET_FILES \ + $OUT/divested-$VERSION-$DATE-dos-$DEVICE-ota.zip; + + md5sum $OUT/divested-$VERSION-$DATE-dos-$DEVICE-ota.zip > $OUT/divested-$VERSION-$DATE-dos-$DEVICE-ota.zip.md5sum; + + #build/tools/releasetools/img_from_target_files $OUT/$TARGET_FILES \ + # $OUT/divested-$VERSION-$DATE-dos-$DEVICE-img.zip || exit 1; +} +export -f signRelease; + disableDexPreOpt() { cd "$DOS_BUILD_BASE$1"; if [ -f BoardConfig.mk ]; then diff --git a/Scripts/Generate_Signing_Keys.sh b/Scripts/Generate_Signing_Keys.sh index 39735534..54ea1b96 100644 --- a/Scripts/Generate_Signing_Keys.sh +++ b/Scripts/Generate_Signing_Keys.sh @@ -11,4 +11,6 @@ type='rsa'; #Options: rsa, ec "$DOS_BUILD_BASE"/development/tools/make_key shared "$desc" "$type"; "$DOS_BUILD_BASE"/development/tools/make_key verity "$desc" "$type"; +#https://grapheneos.org/build#generating-release-signing-keys + echo "Please copy created keys to your signing keys directory. Keep them safe!"; diff --git a/Scripts/LineageOS-11.0/Functions.sh b/Scripts/LineageOS-11.0/Functions.sh index f245f8d4..8ed3093a 100644 --- a/Scripts/LineageOS-11.0/Functions.sh +++ b/Scripts/LineageOS-11.0/Functions.sh @@ -49,7 +49,6 @@ export -f buildDeviceDebug; buildAll() { if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi; if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi; - #Select devices are userdebug due to SELinux policy issues brunch lineage_nex-user; } export -f buildAll; diff --git a/Scripts/LineageOS-11.0/Patch.sh b/Scripts/LineageOS-11.0/Patch.sh index 658ba633..c720dfad 100644 --- a/Scripts/LineageOS-11.0/Patch.sh +++ b/Scripts/LineageOS-11.0/Patch.sh @@ -67,7 +67,6 @@ sed -i 's/LOCAL_DEX_PREOPT := false/LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACK sed -i 's/LOCAL_DEX_PREOPT := false/LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)/' vendor/fdroid_prebuilt/Android.mk; enterAndClear "build"; -#patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) #TODO BACKPORT-11.0 sed -i 's/Mms/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence sed -i '497i$(LOCAL_INTERMEDIATE_TARGETS) : PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/base_rules.mk; sed -i '80iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package.mk; diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 20bb339f..8e7772e8 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -262,6 +262,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"'; if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; +#find "kernel" -maxdepth 3 -mindepth 2 -name "verifiedboot*.x509" -type f -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}"'; #"veri*keys.der.x509" +find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"'; cd "$DOS_BUILD_BASE"; #Fixes diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh index 27bee624..2b1effa2 100644 --- a/Scripts/LineageOS-15.1/Functions.sh +++ b/Scripts/LineageOS-15.1/Functions.sh @@ -35,7 +35,7 @@ scanWorkspaceForMalware() { export -f scanWorkspaceForMalware; buildDevice() { - brunch "lineage_$1-user"; + brunch "lineage_$1-user" && signRelease $1 $2; } export -f buildDevice; @@ -49,39 +49,39 @@ export -f buildDeviceDebug; buildAll() { if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi; if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi; - brunch lineage_angler-user; - brunch lineage_axon7-user; #broken - brunch lineage_bullhead-user; - brunch lineage_dragon-user; - brunch lineage_flo-user; - brunch lineage_flounder-user; - brunch lineage_h850-user; - brunch lineage_starlte-user; #broken - device/samsung/universal9810-common/audio: MODULE.TARGET.SHARED_LIBRARIES.libshim_audio_32 already defined by device/samsung/star-common/audio - brunch lineage_us996-user; - brunch lineage_us997-user; - brunch lineage_victara-user; + buildDevice angler true; + buildDevice axon7; #broken + buildDevice bullhead true; + buildDevice dragon true; + buildDevice flo; + buildDevice flounder true; + buildDevice h850; + buildDevice starlte; #broken - device/samsung/universal9810-common/audio: MODULE.TARGET.SHARED_LIBRARIES.libshim_audio_32 already defined by device/samsung/star-common/audio + buildDevice us996; + buildDevice us997; + buildDevice victara; #The following are all superseded, and should only be enabled if the newer version is broken (not building/booting/etc.) - brunch lineage_fugu-user; - brunch lineage_hammerhead-user; + buildDevice fugu; + buildDevice hammerhead; if [ "$DOS_BUILDALL_SUPERSEDED" = true ]; then - brunch lineage_bacon-user; - brunch lineage_crackling-user; - brunch lineage_d802-user; - brunch lineage_d852-user; - brunch lineage_d855-user; - brunch lineage_ether-user; - brunch lineage_FP2-user; - brunch lineage_griffin-user; - brunch lineage_ham-user; - brunch lineage_kipper-user; - brunch lineage_klte-user; - brunch lineage_m8-user; - brunch lineage_mako-user; - brunch lineage_marlin-user; - brunch lineage_mata-user; - brunch lineage_sailfish-user; - brunch lineage_shamu-user; + buildDevice bacon; + buildDevice crackling; + buildDevice d802; + buildDevice d852; + buildDevice d855; + buildDevice ether; + buildDevice FP2; + buildDevice griffin; + buildDevice ham; + buildDevice kipper; + buildDevice klte; + buildDevice m8; + buildDevice mako; + buildDevice marlin true; + buildDevice mata true; + buildDevice sailfish true; + buildDevice shamu true; fi; } export -f buildAll; diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 32e52f3d..00f48158 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -69,8 +69,6 @@ enterAndClear "bootable/recovery"; git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity enterAndClear "build/make"; -patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) -awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk; sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; enterAndClear "device/lineage/sepolicy"; @@ -93,6 +91,7 @@ sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/ sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL sed -i 's/entry == null/entry == null || true/' core/java/android/os/RecoverySystem.java; #Skip update compatibiltity check XXX: TEMPORARY FIX +sed -i 's/!Build.isBuildConsistent()/false/' services/core/java/com/android/server/am/ActivityManagerService.java; #Disable fingerprint mismatch warning XXX: TEMPORARY FIX if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG) if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key changeDefaultDNS; @@ -100,6 +99,7 @@ changeDefaultDNS; patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #don't grant location permission to system browsers patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL +patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then @@ -228,6 +228,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"'; if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; +#find "kernel" -maxdepth 3 -mindepth 2 -name "verifiedboot*.x509" -type f -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}"'; #"veri*keys.der.x509" +find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"'; cd "$DOS_BUILD_BASE"; #Fix broken options enabled by hardenDefconfig() diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh index 84241d13..5337a6d0 100644 --- a/Scripts/LineageOS-16.0/Functions.sh +++ b/Scripts/LineageOS-16.0/Functions.sh @@ -35,7 +35,7 @@ scanWorkspaceForMalware() { export -f scanWorkspaceForMalware; buildDevice() { - brunch "lineage_$1-user"; + brunch "lineage_$1-user" && signRelease $1 $2; } export -f buildDevice; @@ -49,35 +49,36 @@ export -f buildDeviceDebug; buildAll() { if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi; if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi; - brunch lineage_mako-user; - brunch lineage_bacon-user; - brunch lineage_cheryl-user; #broken - brunch lineage_crackling-user; #broken - brunch lineage_d802-user; - brunch lineage_d852-user; - brunch lineage_d855-user; - brunch lineage_ether-user; - brunch lineage_FP2-user; - brunch lineage_fugu-user; #broken - brunch lineage_griffin-user; - brunch lineage_ham-user; - brunch lineage_hammerhead-user; #broken - brunch lineage_jfltexx-user; - brunch lineage_kipper-user; #broken - brunch lineage_klte-user; - brunch lineage_m8-user; - brunch lineage_marlin-user; - brunch lineage_mata-user; - brunch lineage_sailfish-user; - brunch lineage_shamu-user; - brunch lineage_z2_plus-user; #broken + buildDevice mako; + buildDevice bacon; + buildDevice cheryl; #broken + buildDevice crackling; #broken + buildDevice d802; + buildDevice d852; + buildDevice d855; + buildDevice ether; + buildDevice FP2; + buildDevice fugu; #broken + buildDevice griffin; + buildDevice ham; + buildDevice hammerhead; #broken + buildDevice jfltexx; + buildDevice kipper; #broken + buildDevice klte; + buildDevice m8; + buildDevice marlin true; + buildDevice mata true; + buildDevice sailfish true; + buildDevice shamu true; + buildDevice z2_plus true; #broken } export -f buildAll; patchWorkspace() { if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi; - #source build/envsetup.sh; + source build/envsetup.sh; + repopick -f 254249; #g3 nfc source "$DOS_SCRIPTS/Patch.sh"; source "$DOS_SCRIPTS/Defaults.sh"; diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 9b0be9ea..c5fbb06f 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -70,8 +70,6 @@ git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity enterAndClear "build/make"; git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files -patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) -awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk; sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; enterAndClear "device/qcom/sepolicy-legacy"; @@ -93,6 +91,7 @@ sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/ sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL sed -i 's/entry == null/entry == null || true/' core/java/android/os/RecoverySystem.java; #Skip update compatibiltity check XXX: TEMPORARY FIX +sed -i 's/!Build.isBuildConsistent()/false/' services/core/java/com/android/server/am/ActivityManagerService.java; #Disable fingerprint mismatch warning XXX: TEMPORARY FIX if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG) if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key changeDefaultDNS; @@ -101,6 +100,7 @@ patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #always restrict access to Build.SERIAL patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #don't grant location permission to system browsers patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL +patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then @@ -173,7 +173,6 @@ patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; enterAndClear "system/sepolicy"; -#git revert 4c9031e4e2f45db3531d0bc602b2d9c9407a2d16; #neverallow patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignoring neverallows under -user @@ -208,6 +207,12 @@ enterAndClear "device/lge/g3-common"; sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te; sed -i '1itypeattribute wcnss_service misc_block_device_exception;' sepolicy/wcnss_service.te; +enterAndClear "device/lge/d852"; +git revert dbebbce20b2b303fe13f7078ef54154f9dd5d9e2; #fix nfc path + +enterAndClear "device/lge/d855"; +git revert 9a5739e66d0a44347881807c0cc44d7c318c02b8; #fix nfc path + enterAndClear "device/lge/mako"; git revert 218f7442874f7b7d494f265286a2151e2f81bb6e; #disable dexpreopt full and switch back to -mini echo "allow kickstart usbfs:dir search;" >> sepolicy/kickstart.te; #Fix forceencrypt on first boot @@ -232,6 +237,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"'; if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; +#find "kernel" -maxdepth 3 -mindepth 2 -name "verifiedboot*.x509" -type f -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}"'; #"veri*keys.der.x509" +find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"'; cd "$DOS_BUILD_BASE"; #Fix broken options enabled by hardenDefconfig() diff --git a/Scripts/init.sh b/Scripts/init.sh index 9c42c000..d7f0df0c 100644 --- a/Scripts/init.sh +++ b/Scripts/init.sh @@ -35,7 +35,7 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv export DOS_BUILDALL_SUPERSEDED=false; #Set true to build superseded devices when running buildAll() export DOS_GPS_GLONASS_FORCED=true; #Enables GLONASS on all devices -export DOS_GRAPHENE_MALLOC=false; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms +export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms export DOS_HOSTS_BLOCKING=true; #Switch to false to prevent inclusion of our HOSTS file export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: Blokada, DNS66 export DOS_HOSTS_BLOCKING_LIST="https://divestos.org/hosts"; #Must be in the format "127.0.0.1 bad.domain.tld" @@ -127,7 +127,6 @@ fi; export DOS_SCRIPTS_CVES=$DOS_SCRIPTS"CVE_Patchers/"; export SIGNING_KEY_DIR=$DOS_SIGNING_KEYS; -export OTA_PACKAGE_SIGNING_KEY=$SIGNING_KEY_DIR"/releasekey"; export KBUILD_BUILD_USER="emy"; export KBUILD_BUILD_HOST="dosbm";