Minor tweaks

- 15.1+16.0: Replace in-line build signing patch with bash function
 - From GrapheneOS/script
- 15.1+16.0: Enable fingerprint failed lockout after 5 attempts
 - From GrapheneOS

Scripts/Common/Functions.sh

@@ -140,6 +140,39 @@ audit2allowADB() {
 }
 export -f audit2allowADB;
 
+signRelease() {
+	#https://github.com/GrapheneOS/script/blob/pie/release.sh
+	DEVICE=$1;
+	VERITY=$2;
+
+	DATE=$(date '+%Y%m%d')
+	KEY_DIR=$DOS_SIGNING_KEYS;
+	PREFIX="lineage_";
+	VERSION=$(echo $DOS_VERSION | cut -f2 -d "-");
+	TARGET_FILES=divested-$VERSION-$DATE-dos-$DEVICE-target_files.zip;
+
+	if [ "$VERITY" = true ]; then
+		VERITY_SWITCHES=(--replace_verity_public_key "$KEY_DIR/verity_key.pub" \
+			--replace_verity_private_key "$KEY_DIR/verity" \
+			--replace_verity_keyid "$KEY_DIR/verity.x509.pem");
+	fi;
+
+	build/tools/releasetools/sign_target_files_apks -o -d "$KEY_DIR" \
+		"${VERITY_SWITCHES[@]}" \
+		out/target/product/$DEVICE/obj/PACKAGING/target_files_intermediates/$PREFIX$DEVICE-target_files-*.zip \
+		$OUT/$TARGET_FILES;
+
+	build/tools/releasetools/ota_from_target_files --block -k "$KEY_DIR/releasekey" \
+		$OUT/$TARGET_FILES \
+		$OUT/divested-$VERSION-$DATE-dos-$DEVICE-ota.zip;
+
+	md5sum $OUT/divested-$VERSION-$DATE-dos-$DEVICE-ota.zip > $OUT/divested-$VERSION-$DATE-dos-$DEVICE-ota.zip.md5sum;
+
+	#build/tools/releasetools/img_from_target_files $OUT/$TARGET_FILES \
+	#	$OUT/divested-$VERSION-$DATE-dos-$DEVICE-img.zip || exit 1;
+}
+export -f signRelease;
+
 disableDexPreOpt() {
 	cd "$DOS_BUILD_BASE$1";
 	if [ -f BoardConfig.mk ]; then

Scripts/Generate_Signing_Keys.sh

@@ -11,4 +11,6 @@ type='rsa'; #Options: rsa, ec
 "$DOS_BUILD_BASE"/development/tools/make_key shared "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key verity "$desc" "$type";
 
+#https://grapheneos.org/build#generating-release-signing-keys
+
 echo "Please copy created keys to your signing keys directory. Keep them safe!";

Scripts/LineageOS-11.0/Functions.sh

@@ -49,7 +49,6 @@ export -f buildDeviceDebug;
 buildAll() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
 	if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi;
-	#Select devices are userdebug due to SELinux policy issues
 	brunch lineage_nex-user;
 }
 export -f buildAll;

Scripts/LineageOS-11.0/Patch.sh

@@ -67,7 +67,6 @@ sed -i 's/LOCAL_DEX_PREOPT := false/LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACK
 sed -i 's/LOCAL_DEX_PREOPT := false/LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)/' vendor/fdroid_prebuilt/Android.mk;
 
 enterAndClear "build";
-#patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0) #TODO BACKPORT-11.0
 sed -i 's/Mms/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Silence
 sed -i '497i$(LOCAL_INTERMEDIATE_TARGETS) : PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/base_rules.mk;
 sed -i '80iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package.mk;

Scripts/LineageOS-14.1/Patch.sh

@@ -262,6 +262,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
+#find "kernel" -maxdepth 3 -mindepth 2 -name "verifiedboot*.x509" -type f -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}"'; #"veri*keys.der.x509"
+find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
 cd "$DOS_BUILD_BASE";
 
 #Fixes

Scripts/LineageOS-15.1/Functions.sh

@@ -35,7 +35,7 @@ scanWorkspaceForMalware() {
 export -f scanWorkspaceForMalware;
 
 buildDevice() {
-	brunch "lineage_$1-user";
+	brunch "lineage_$1-user" && signRelease $1 $2;
 }
 export -f buildDevice;
 
@@ -49,39 +49,39 @@ export -f buildDeviceDebug;
 buildAll() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
 	if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi;
-	brunch lineage_angler-user;
-	brunch lineage_axon7-user; #broken
-	brunch lineage_bullhead-user;
-	brunch lineage_dragon-user;
-	brunch lineage_flo-user;
-	brunch lineage_flounder-user;
-	brunch lineage_h850-user;
-	brunch lineage_starlte-user; #broken - device/samsung/universal9810-common/audio: MODULE.TARGET.SHARED_LIBRARIES.libshim_audio_32 already defined by device/samsung/star-common/audio
-	brunch lineage_us996-user;
-	brunch lineage_us997-user;
-	brunch lineage_victara-user;
+	buildDevice angler true;
+	buildDevice axon7; #broken
+	buildDevice bullhead true;
+	buildDevice dragon true;
+	buildDevice flo;
+	buildDevice flounder true;
+	buildDevice h850;
+	buildDevice starlte; #broken - device/samsung/universal9810-common/audio: MODULE.TARGET.SHARED_LIBRARIES.libshim_audio_32 already defined by device/samsung/star-common/audio
+	buildDevice us996;
+	buildDevice us997;
+	buildDevice victara;
 
 	#The following are all superseded, and should only be enabled if the newer version is broken (not building/booting/etc.)
-	brunch lineage_fugu-user;
-	brunch lineage_hammerhead-user;
+	buildDevice fugu;
+	buildDevice hammerhead;
 	if [ "$DOS_BUILDALL_SUPERSEDED" = true ]; then
-		brunch lineage_bacon-user;
-		brunch lineage_crackling-user;
-		brunch lineage_d802-user;
-		brunch lineage_d852-user;
-		brunch lineage_d855-user;
-		brunch lineage_ether-user;
-		brunch lineage_FP2-user;
-		brunch lineage_griffin-user;
-		brunch lineage_ham-user;
-		brunch lineage_kipper-user;
-		brunch lineage_klte-user;
-		brunch lineage_m8-user;
-		brunch lineage_mako-user;
-		brunch lineage_marlin-user;
-		brunch lineage_mata-user;
-		brunch lineage_sailfish-user;
-		brunch lineage_shamu-user;
+		buildDevice bacon;
+		buildDevice crackling;
+		buildDevice d802;
+		buildDevice d852;
+		buildDevice d855;
+		buildDevice ether;
+		buildDevice FP2;
+		buildDevice griffin;
+		buildDevice ham;
+		buildDevice kipper;
+		buildDevice klte;
+		buildDevice m8;
+		buildDevice mako;
+		buildDevice marlin true;
+		buildDevice mata true;
+		buildDevice sailfish true;
+		buildDevice shamu true;
 	fi;
 }
 export -f buildAll;

Scripts/LineageOS-15.1/Patch.sh

@@ -69,8 +69,6 @@ enterAndClear "bootable/recovery";
 git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity
 
 enterAndClear "build/make";
-patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0)
-awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
 
 enterAndClear "device/lineage/sepolicy";
@@ -93,6 +91,7 @@ sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/
 sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
 sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL
 sed -i 's/entry == null/entry == null || true/' core/java/android/os/RecoverySystem.java; #Skip update compatibiltity check XXX: TEMPORARY FIX
+sed -i 's/!Build.isBuildConsistent()/false/' services/core/java/com/android/server/am/ActivityManagerService.java; #Disable fingerprint mismatch warning XXX: TEMPORARY FIX
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
 changeDefaultDNS;
@@ -100,6 +99,7 @@ changeDefaultDNS;
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #don't grant location permission to system browsers
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
+patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts
 rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
 
 if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
@@ -228,6 +228,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
+#find "kernel" -maxdepth 3 -mindepth 2 -name "verifiedboot*.x509" -type f -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}"'; #"veri*keys.der.x509"
+find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
 cd "$DOS_BUILD_BASE";
 
 #Fix broken options enabled by hardenDefconfig()

Scripts/LineageOS-16.0/Functions.sh

@@ -35,7 +35,7 @@ scanWorkspaceForMalware() {
 export -f scanWorkspaceForMalware;
 
 buildDevice() {
-	brunch "lineage_$1-user";
+	brunch "lineage_$1-user" && signRelease $1 $2;
 }
 export -f buildDevice;
 
@@ -49,35 +49,36 @@ export -f buildDeviceDebug;
 buildAll() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanWorkspaceForMalware; fi;
 	if [ "$DOS_OPTIMIZE_IMAGES" = true ]; then optimizeImagesRecursive "$DOS_BUILD_BASE"; fi;
-	brunch lineage_mako-user;
-	brunch lineage_bacon-user;
-	brunch lineage_cheryl-user; #broken
-	brunch lineage_crackling-user; #broken
-	brunch lineage_d802-user;
-	brunch lineage_d852-user;
-	brunch lineage_d855-user;
-	brunch lineage_ether-user;
-	brunch lineage_FP2-user;
-	brunch lineage_fugu-user; #broken
-	brunch lineage_griffin-user;
-	brunch lineage_ham-user;
-	brunch lineage_hammerhead-user; #broken
-	brunch lineage_jfltexx-user;
-	brunch lineage_kipper-user; #broken
-	brunch lineage_klte-user;
-	brunch lineage_m8-user;
-	brunch lineage_marlin-user;
-	brunch lineage_mata-user;
-	brunch lineage_sailfish-user;
-	brunch lineage_shamu-user;
-	brunch lineage_z2_plus-user; #broken
+	buildDevice mako;
+	buildDevice bacon;
+	buildDevice cheryl; #broken
+	buildDevice crackling; #broken
+	buildDevice d802;
+	buildDevice d852;
+	buildDevice d855;
+	buildDevice ether;
+	buildDevice FP2;
+	buildDevice fugu; #broken
+	buildDevice griffin;
+	buildDevice ham;
+	buildDevice hammerhead; #broken
+	buildDevice jfltexx;
+	buildDevice kipper; #broken
+	buildDevice klte;
+	buildDevice m8;
+	buildDevice marlin true;
+	buildDevice mata true;
+	buildDevice sailfish true;
+	buildDevice shamu true;
+	buildDevice z2_plus true; #broken
 }
 export -f buildAll;
 
 patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
 
-	#source build/envsetup.sh;
+	source build/envsetup.sh;
+	repopick -f 254249; #g3 nfc
 
 	source "$DOS_SCRIPTS/Patch.sh";
 	source "$DOS_SCRIPTS/Defaults.sh";

Scripts/LineageOS-16.0/Patch.sh

@@ -70,8 +70,6 @@ git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity
 
 enterAndClear "build/make";
 git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files
-patch -p1 < "$DOS_PATCHES/android_build/0001-Automated_Build_Signing.patch"; #Automated build signing (CopperheadOS-13.0)
-awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
 
 enterAndClear "device/qcom/sepolicy-legacy";
@@ -93,6 +91,7 @@ sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/
 sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
 sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL
 sed -i 's/entry == null/entry == null || true/' core/java/android/os/RecoverySystem.java; #Skip update compatibiltity check XXX: TEMPORARY FIX
+sed -i 's/!Build.isBuildConsistent()/false/' services/core/java/com/android/server/am/ActivityManagerService.java; #Disable fingerprint mismatch warning XXX: TEMPORARY FIX
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
 changeDefaultDNS;
@@ -101,6 +100,7 @@ patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch";
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #always restrict access to Build.SERIAL
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #don't grant location permission to system browsers
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL
+patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts
 rm -rf packages/PrintRecommendationService; #App that just creates popups to install proprietary print apps
 
 if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then
@@ -173,7 +173,6 @@ patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi;
 
 enterAndClear "system/sepolicy";
-#git revert 4c9031e4e2f45db3531d0bc602b2d9c9407a2d16; #neverallow
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
 awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignoring neverallows under -user
 
@@ -208,6 +207,12 @@ enterAndClear "device/lge/g3-common";
 sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te;
 sed -i '1itypeattribute wcnss_service misc_block_device_exception;' sepolicy/wcnss_service.te;
 
+enterAndClear "device/lge/d852";
+git revert dbebbce20b2b303fe13f7078ef54154f9dd5d9e2; #fix nfc path
+
+enterAndClear "device/lge/d855";
+git revert 9a5739e66d0a44347881807c0cc44d7c318c02b8; #fix nfc path
+
 enterAndClear "device/lge/mako";
 git revert 218f7442874f7b7d494f265286a2151e2f81bb6e; #disable dexpreopt full and switch back to -mini
 echo "allow kickstart usbfs:dir search;" >> sepolicy/kickstart.te; #Fix forceencrypt on first boot
@@ -232,6 +237,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
+#find "kernel" -maxdepth 3 -mindepth 2 -name "verifiedboot*.x509" -type f -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}"'; #"veri*keys.der.x509"
+find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
 cd "$DOS_BUILD_BASE";
 
 #Fix broken options enabled by hardenDefconfig()

Scripts/init.sh

@@ -35,7 +35,7 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv
 
 export DOS_BUILDALL_SUPERSEDED=false; #Set true to build superseded devices when running buildAll()
 export DOS_GPS_GLONASS_FORCED=true; #Enables GLONASS on all devices
-export DOS_GRAPHENE_MALLOC=false; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms
+export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms
 export DOS_HOSTS_BLOCKING=true; #Switch to false to prevent inclusion of our HOSTS file
 export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: Blokada, DNS66
 export DOS_HOSTS_BLOCKING_LIST="https://divestos.org/hosts"; #Must be in the format "127.0.0.1 bad.domain.tld"
@@ -127,7 +127,6 @@ fi;
 export DOS_SCRIPTS_CVES=$DOS_SCRIPTS"CVE_Patchers/";
 
 export SIGNING_KEY_DIR=$DOS_SIGNING_KEYS;
-export OTA_PACKAGE_SIGNING_KEY=$SIGNING_KEY_DIR"/releasekey";
 
 export KBUILD_BUILD_USER="emy";
 export KBUILD_BUILD_HOST="dosbm";