Failed attempt at fixing signing

PRODUCT_OTA_PUBLIC_KEYS is meant to be set by a vendor tree, something we don't use. Override it at the source and set it explicitely as well. This ensures that the compiled recovery.img and the one generated by sign_target_files_apks.py includes the real public keys for verification. 11.0 signing is ignored. This will need to be extensively tested as breakage can mean brick on locked devices. Although in failure cases it seems test-keys are accepted. -- After much testing there appears to be a deeper issue with how keys are inserted into the recovery and handled
2025-08-14 17:15:56 -04:00 · 2021-04-05 22:57:59 -04:00 · 2021-04-05 22:57:59 -04:00 · f3e672fb18
commit f3e672fb18
parent ad178961e4
17 changed files with 211 additions and 123 deletions
--- a/Patches/Common/android_build/0001-OTA_Keys.patch
+++ b/Patches/Common/android_build/0001-OTA_Keys.patch
@ -1,29 +0,0 @@
-From 2dc326c8e10dcee50439b49d329142c3c92273c4 Mon Sep 17 00:00:00 2001
-From: Tad <tad@spotco.us>
-Date: Sat, 14 Sep 2019 20:14:42 -0400
-Subject: [PATCH] Support OTA recovery key override
-
-Change-Id: I454674073684325a4bc484ef783665fb58b5a503
---
- core/Makefile | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/core/Makefile b/core/Makefile
-index f2a524d58..7c9735cf9 100644
--- a/core/Makefile
-+++ b/core/Makefile
-@@ -1217,6 +1217,11 @@ endif
- # substitute other keys for this one.
- OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
- 
-+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
-+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
-+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
-+endif
-+
- # Generate a file containing the keys that will be read by the
- # recovery binary.
- RECOVERY_INSTALL_OTA_KEYS := \
-- 
-2.21.0
-
--- a/Patches/LineageOS-14.1/android_build/0001-OTA_Keys.patch
+++ b/Patches/LineageOS-14.1/android_build/0001-OTA_Keys.patch
@ -1,29 +1,46 @@
-From 3d9a2560ff4ce717b91724d941c3607abe8fa09f Mon Sep 17 00:00:00 2001
+From 7982c8a06516e8b1d113953a3f3cf2e32a3a7ba5 Mon Sep 17 00:00:00 2001
 From: Tad <tad@spotco.us>
-Date: Sat, 14 Sep 2019 20:12:26 -0400
-Subject: [PATCH] Support OTA recovery key override
+Date: Mon, 5 Apr 2021 23:11:12 -0400
+Subject: [PATCH] Allow setting OTA public keys from environment variable

-Change-Id: Icafdb77a0c39353aaefbdf65a83f76be6e3e5f63
+Change-Id: Iaa8890283c30441bf8543a8ca1cd9296e9453d91
 ---
- core/Makefile | 5 +++++
- 1 file changed, 5 insertions(+)
+ core/Makefile          | 5 ++---
+ core/product_config.mk | 5 +++++
+ 2 files changed, 7 insertions(+), 3 deletions(-)

 diff --git a/core/Makefile b/core/Makefile
-index 3fb424733..a87bce4df 100644
+index 3fb424733..67e0170e6 100644
 --- a/core/Makefile
 +++ b/core/Makefile
-@@ -1038,6 +1038,11 @@ ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
-     PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
- endif
+@@ -1033,9 +1033,8 @@ endif
+ # substitute other keys for this one.
+ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
 
+-ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
+-    OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
+-    PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
 +ifneq ($(OTA_KEY_OVERRIDE_DIR),)
 +    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+ endif
+ 
+ # Generate a file containing the keys that will be read by the
+diff --git a/core/product_config.mk b/core/product_config.mk
+index 7b440b1ef..f26ebb6d5 100644
+--- a/core/product_config.mk
+++ b/core/product_config.mk
+@@ -422,6 +422,11 @@ PRODUCT_OTA_PUBLIC_KEYS := $(sort \
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(sort \
+     $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_EXTRA_RECOVERY_KEYS))
+ 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    PRODUCT_OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
 +    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
 +endif
 +
- # Generate a file containing the keys that will be read by the
- # recovery binary.
- RECOVERY_INSTALL_OTA_KEYS := \
+ PRODUCT_DEX_PREOPT_DEFAULT_FLAGS := \
+     $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_DEX_PREOPT_DEFAULT_FLAGS))
+ PRODUCT_DEX_PREOPT_BOOT_FLAGS := \
 -- 
-2.21.0
+2.30.2

--- a/Patches/LineageOS-15.1/android_build/0001-OTA_Keys.patch
+++ b/Patches/LineageOS-15.1/android_build/0001-OTA_Keys.patch
@ -0,0 +1,45 @@
+From 6b2e3eb190363d4e5957890826e97f5674b38539 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Mon, 5 Apr 2021 23:03:18 -0400
+Subject: [PATCH] Allow setting OTA public keys from environment variable
+
+Change-Id: Ie7edd059b8d701d5ec0d0d922e23d034f69e579f
+---
+ core/Makefile          | 4 ++++
+ core/product_config.mk | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/core/Makefile b/core/Makefile
+index f2a524d58..92c7928d3 100644
+--- a/core/Makefile
+++ b/core/Makefile
+@@ -1217,6 +1217,10 @@ endif
+ # substitute other keys for this one.
+ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+endif
+
+ # Generate a file containing the keys that will be read by the
+ # recovery binary.
+ RECOVERY_INSTALL_OTA_KEYS := \
+diff --git a/core/product_config.mk b/core/product_config.mk
+index bcab7a384..401d27054 100644
+--- a/core/product_config.mk
+++ b/core/product_config.mk
+@@ -404,6 +404,11 @@ PRODUCT_OTA_PUBLIC_KEYS := $(sort \
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(sort \
+     $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_EXTRA_RECOVERY_KEYS))
+ 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    PRODUCT_OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
+endif
+
+ PRODUCT_DEX_PREOPT_DEFAULT_FLAGS := \
+     $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_DEX_PREOPT_DEFAULT_FLAGS))
+ PRODUCT_DEX_PREOPT_BOOT_FLAGS := \
+-- 
+2.30.2
+
--- a/Patches/LineageOS-16.0/android_build/0001-OTA_Keys.patch
+++ b/Patches/LineageOS-16.0/android_build/0001-OTA_Keys.patch
@ -0,0 +1,45 @@
+From d77b1a23b87813edb3133d314760249e1873cdf8 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Mon, 5 Apr 2021 23:00:41 -0400
+Subject: [PATCH] Allow setting OTA public keys from environment variable
+
+Change-Id: Id2338b2d30f7c477583a34f4171d37b70f0a6e92
+---
+ core/Makefile          | 4 ++++
+ core/product_config.mk | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/core/Makefile b/core/Makefile
+index 404bb5413..bd23c8be3 100644
+--- a/core/Makefile
+++ b/core/Makefile
+@@ -1413,6 +1413,10 @@ endif
+ # substitute other keys for this one.
+ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+endif
+
+ # Generate a file containing the keys that will be read by the
+ # recovery binary.
+ RECOVERY_INSTALL_OTA_KEYS := \
+diff --git a/core/product_config.mk b/core/product_config.mk
+index 2c3f21f1d..a300efbcf 100644
+--- a/core/product_config.mk
+++ b/core/product_config.mk
+@@ -399,6 +399,11 @@ PRODUCT_OTA_PUBLIC_KEYS := $(sort \
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(sort \
+     $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_EXTRA_RECOVERY_KEYS))
+ 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    PRODUCT_OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
+endif
+
+ PRODUCT_DEX_PREOPT_DEFAULT_COMPILER_FILTER := \
+     $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_DEX_PREOPT_DEFAULT_COMPILER_FILTER))
+ PRODUCT_DEX_PREOPT_DEFAULT_FLAGS := \
+-- 
+2.30.2
+
--- a/Patches/LineageOS-17.1/android_build/0002-OTA_Keys.patch
+++ b/Patches/LineageOS-17.1/android_build/0002-OTA_Keys.patch
@ -0,0 +1,45 @@
+From 1dd6a60f1fe8305f74795225a26a8301c690d898 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Mon, 5 Apr 2021 22:55:30 -0400
+Subject: [PATCH] Allow setting OTA public keys from environment variable
+
+Change-Id: I23c4acdff039f141afafcd0e736a341992f2f8ec
+---
+ core/Makefile          | 4 ++++
+ core/product_config.mk | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/core/Makefile b/core/Makefile
+index a5eef489f..64468d841 100644
+--- a/core/Makefile
+++ b/core/Makefile
+@@ -1891,6 +1891,10 @@ endif
+ # substitute other keys for this one.
+ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+endif
+
+ # Generate a file containing the keys that will be read by the
+ # recovery binary.
+ RECOVERY_INSTALL_OTA_KEYS := \
+diff --git a/core/product_config.mk b/core/product_config.mk
+index 9460357ca..be4bfec75 100644
+--- a/core/product_config.mk
+++ b/core/product_config.mk
+@@ -326,6 +326,11 @@ ENFORCE_SYSTEM_CERTIFICATE_WHITELIST := $(PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_RE
+ PRODUCT_OTA_PUBLIC_KEYS := $(sort $(PRODUCT_OTA_PUBLIC_KEYS))
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(sort $(PRODUCT_EXTRA_RECOVERY_KEYS))
+ 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    PRODUCT_OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
+endif
+
+ # Resolve and setup per-module dex-preopt configs.
+ DEXPREOPT_DISABLED_MODULES :=
+ # If a module has multiple setups, the first takes precedence.
+-- 
+2.30.2
+
--- a/Patches/LineageOS-18.1/android_build/0002-OTA_Keys.patch
+++ b/Patches/LineageOS-18.1/android_build/0002-OTA_Keys.patch
@ -1,29 +1,29 @@
-From 7cea4afe3e17c1dc8910c8ae9ad551bf280173ea Mon Sep 17 00:00:00 2001
+From e09adb8a973f11208058c4c74aa32b9899b1d6df Mon Sep 17 00:00:00 2001
 From: Tad <tad@spotco.us>
-Date: Wed, 31 Mar 2021 01:26:27 -0400
-Subject: [PATCH] Support OTA recovery key override
+Date: Mon, 5 Apr 2021 22:53:31 -0400
+Subject: [PATCH] Allow setting OTA public keys from environment variable

-Change-Id: I216c121a54331e9424dfc1543f85752b07229d9b
+Change-Id: Ic8076ff80fbf39c47e20a2fbfda4a6d8592d431b
 ---
 core/product_config.mk | 5 +++++
 1 file changed, 5 insertions(+)

 diff --git a/core/product_config.mk b/core/product_config.mk
-index a16af05cf..0152a3543 100644
+index a16af05cf..4849d5009 100644
 --- a/core/product_config.mk
 +++ b/core/product_config.mk
-@@ -280,6 +280,11 @@ $(foreach pair,$(PRODUCT_UPDATABLE_BOOT_JARS), \
- ENFORCE_SYSTEM_CERTIFICATE := $(PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT)
- ENFORCE_SYSTEM_CERTIFICATE_ALLOW_LIST := $(PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_ALLOW_LIST)
- 
-+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
-+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
-+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
-+endif
-+
+@@ -283,6 +283,11 @@ ENFORCE_SYSTEM_CERTIFICATE_ALLOW_LIST := $(PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_R
 PRODUCT_OTA_PUBLIC_KEYS := $(sort $(PRODUCT_OTA_PUBLIC_KEYS))
 PRODUCT_EXTRA_RECOVERY_KEYS := $(sort $(PRODUCT_EXTRA_RECOVERY_KEYS))
 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    PRODUCT_OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
+endif
+
+ # Resolve and setup per-module dex-preopt configs.
+ DEXPREOPT_DISABLED_MODULES :=
+ # If a module has multiple setups, the first takes precedence.
 -- 
 2.30.2