Failed attempt at fixing signing

PRODUCT_OTA_PUBLIC_KEYS is meant to be set by a vendor tree, something we don't use. Override it at the source and set it explicitely as well. This ensures that the compiled recovery.img and the one generated by sign_target_files_apks.py includes the real public keys for verification. 11.0 signing is ignored. This will need to be extensively tested as breakage can mean brick on locked devices. Although in failure cases it seems test-keys are accepted. -- After much testing there appears to be a deeper issue with how keys are inserted into the recovery and handled
2025-05-02 14:36:17 -04:00 · 2021-04-05 22:57:59 -04:00 · 2021-04-05 22:57:59 -04:00 · f3e672fb18
commit f3e672fb18
parent ad178961e4
17 changed files with 211 additions and 123 deletions
--- a/Patches/Common/android_build/0001-OTA_Keys.patch
+++ b/Patches/Common/android_build/0001-OTA_Keys.patch
@ -1,29 +0,0 @@
-From 2dc326c8e10dcee50439b49d329142c3c92273c4 Mon Sep 17 00:00:00 2001
-From: Tad <tad@spotco.us>
-Date: Sat, 14 Sep 2019 20:14:42 -0400
-Subject: [PATCH] Support OTA recovery key override
-
-Change-Id: I454674073684325a4bc484ef783665fb58b5a503
---
- core/Makefile | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/core/Makefile b/core/Makefile
-index f2a524d58..7c9735cf9 100644
--- a/core/Makefile
-+++ b/core/Makefile
-@@ -1217,6 +1217,11 @@ endif
- # substitute other keys for this one.
- OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
- 
-+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
-+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
-+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
-+endif
-+
- # Generate a file containing the keys that will be read by the
- # recovery binary.
- RECOVERY_INSTALL_OTA_KEYS := \
-- 
-2.21.0
-