Failed attempt at fixing signing

PRODUCT_OTA_PUBLIC_KEYS is meant to be set by a vendor tree, something
we don't use.

Override it at the source and set it explicitely as well.

This ensures that the compiled recovery.img and the one generated by
sign_target_files_apks.py includes the real public keys for verification.

11.0 signing is ignored.

This will need to be extensively tested as breakage can mean brick on locked
devices.
Although in failure cases it seems test-keys are accepted.

--

After much testing there appears to be a deeper issue with how keys
are inserted into the recovery and handled

Scripts/Common/Functions.sh

@@ -154,7 +154,7 @@ processRelease() {
 	local ARCHIVE="$DOS_BUILDS/$DOS_VERSION/release_keys/";
 	local OUT_DIR="$DOS_BUILD_BASE/out/target/product/$DEVICE/";
 
-	local RELEASETOOLS_PREFIX="build/tools/releasetools/"; #XXX: FIXME 18REBASE
+	local RELEASETOOLS_PREFIX="build/tools/releasetools/";
 	if [[ "$DOS_VERSION" == "LineageOS-18.1" ]]; then
 		local RELEASETOOLS_PREFIX="";
 	fi;
@@ -183,7 +183,7 @@ processRelease() {
 	#Malware Scan
 	if [ "$DOS_MALWARE_SCAN_BEFORE_SIGN" = true ]; then
 		echo -e "\e[0;32mScanning files for malware before signing\e[0m";
-		scanForMalware false "$OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip";
+		scanForMalware false $OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip;
 	fi;
 
 	#Target Files
@@ -191,26 +191,28 @@ processRelease() {
 	"$RELEASETOOLS_PREFIX"sign_target_files_apks -o -d "$KEY_DIR" \
 		"${VERITY_SWITCHES[@]}" \
 		$OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip \
-		$OUT_DIR/$PREFIX-target_files.zip;
-	sha512sum $OUT_DIR/$PREFIX-target_files.zip > $OUT_DIR/$PREFIX-target_files.zip.sha512sum;
+		"$OUT_DIR/$PREFIX-target_files.zip";
+	sha512sum "$OUT_DIR/$PREFIX-target_files.zip" > "$OUT_DIR/$PREFIX-target_files.zip.sha512sum";
 	local INCREMENTAL_ID=$(grep "ro.build.version.incremental" $OUT_DIR/system/build.prop | cut -f2 -d "=" | sed 's/\.//g');
-	echo $INCREMENTAL_ID > $OUT_DIR/$PREFIX-target_files.zip.id;
+	echo "$INCREMENTAL_ID" > "$OUT_DIR/$PREFIX-target_files.zip.id";
 
 	#Image
-	if [ ! -f $OUT_DIR/recovery.img ]; then
+	unzip -l $OUT_DIR/$PREFIX-target_files.zip | grep -q recovery.img;
+	local hasRecoveryImg="$?";
+	if [ "$hasRecoveryImg" == "0" ]; then
 		echo -e "\e[0;32mCreating fastboot image\e[0m";
-		"$RELEASETOOLS_PREFIX"img_from_target_files $OUT_DIR/$PREFIX-target_files.zip \
-			$OUT_DIR/$PREFIX-fastboot.zip || exit 1;
-		sha512sum $OUT_DIR/$PREFIX-fastboot.zip > $OUT_DIR/$PREFIX-fastboot.zip.sha512sum;
+		"$RELEASETOOLS_PREFIX"img_from_target_files "$bootOnly" "$OUT_DIR/$PREFIX-target_files.zip" \
+			"$OUT_DIR/$PREFIX-fastboot.zip";
+		sha512sum "$OUT_DIR/$PREFIX-fastboot.zip" > "$OUT_DIR/$PREFIX-fastboot.zip.sha512sum";
 	fi
 
 	#OTA
 	echo -e "\e[0;32mCreating OTA\e[0m";
 	"$RELEASETOOLS_PREFIX"ota_from_target_files $BLOCK_SWITCHES -k "$KEY_DIR/releasekey" \
-		$OUT_DIR/$PREFIX-target_files.zip  \
-		$OUT_DIR/$PREFIX-ota.zip;
-	md5sum $OUT_DIR/$PREFIX-ota.zip > $OUT_DIR/$PREFIX-ota.zip.md5sum;
-	sha512sum $OUT_DIR/$PREFIX-ota.zip > $OUT_DIR/$PREFIX-ota.zip.sha512sum;
+		"$OUT_DIR/$PREFIX-target_files.zip"  \
+		"$OUT_DIR/$PREFIX-ota.zip";
+	md5sum "$OUT_DIR/$PREFIX-ota.zip" > "$OUT_DIR/$PREFIX-ota.zip.md5sum";
+	sha512sum "$OUT_DIR/$PREFIX-ota.zip" > "$OUT_DIR/$PREFIX-ota.zip.sha512sum";
 
 	#Deltas
 	if [ "$DOS_GENERATE_DELTAS" = true ]; then
@@ -218,31 +220,23 @@ processRelease() {
 			if [[ -f "$LAST_TARGET_FILES.id" ]]; then
 				local LAST_INCREMENTAL_ID=$(cat "$LAST_TARGET_FILES.id");
 				echo -e "\e[0;32mGenerating incremental OTA against $LAST_INCREMENTAL_ID\e[0m";
-				#TODO: Verify GPG signature and checksum of target-files first!
+				#TODO: Verify GPG signature and checksum of previous target-files first!
 				"$RELEASETOOLS_PREFIX"ota_from_target_files $BLOCK_SWITCHES -t 8 -k "$KEY_DIR/releasekey" -i \
 					"$LAST_TARGET_FILES" \
-					$OUT_DIR/$PREFIX-target_files.zip \
-					$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip;
-				sha512sum $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip > $OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip.sha512sum;
+					"$OUT_DIR/$PREFIX-target_files.zip" \
+					"$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip";
+				sha512sum "$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip" > "$OUT_DIR/$PREFIX-incremental_$LAST_INCREMENTAL_ID.zip.sha512sum";
 			fi;
 		done;
 	fi;
 
 	#Extract signed recovery
-	unzip -l $OUT_DIR/$PREFIX-target_files.zip | grep -q recovery.img;
-	local hasRecoveryImg=$?;
 	if [ "$hasRecoveryImg" == "0" ]; then
 		echo -e "\e[0;32mExtracting signed recovery.img\e[0m";
-		mkdir $OUT_DIR/rec_tmp;
-		unzip $OUT_DIR/$PREFIX-target_files.zip IMAGES/recovery.img -d $OUT_DIR/rec_tmp;
-		mv $OUT_DIR/rec_tmp/IMAGES/recovery.img $OUT_DIR/$PREFIX-recovery.img;
-		sha512sum $OUT_DIR/$PREFIX-recovery.img > $OUT_DIR/$PREFIX-recovery.img.sha512sum;
-	#else
-	#	echo -e "\e[0;32mExtracting signed boot.img\e[0m";
-	#	mkdir $OUT_DIR/rec_tmp;
-	#	unzip $OUT_DIR/$PREFIX-target_files.zip IMAGES/boot.img -d $OUT_DIR/rec_tmp;
-	#	mv $OUT_DIR/rec_tmp/IMAGES/boot.img $OUT_DIR/$PREFIX-boot.img;
-	#	sha512sum $OUT_DIR/$PREFIX-boot.img > $OUT_DIR/$PREFIX-boot.img.sha512sum;
+		mkdir "$OUT_DIR/rec_tmp";
+		unzip "$OUT_DIR/$PREFIX-target_files.zip" "IMAGES/recovery.img" -d "$OUT_DIR/rec_tmp";
+		mv "$OUT_DIR/rec_tmp/IMAGES/recovery.img" "$OUT_DIR/$PREFIX-recovery.img";
+		sha512sum "$OUT_DIR/$PREFIX-recovery.img" > "$OUT_DIR/$PREFIX-recovery.img.sha512sum";
 	fi;
 
 	#File name fixes

Scripts/LineageOS-14.1/Functions.sh

@@ -37,14 +37,14 @@ export -f scanWorkspaceForMalware;
 buildDevice() {
 	cd "$DOS_BUILD_BASE";
 	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
-	brunch "lineage_$1-user" && processRelease $1 true $2;
+	breakfast "lineage_$1-user" && mka target-files-package otatools && processRelease $1 true $2;
 }
 export -f buildDevice;
 
 buildDeviceUserDebug() {
 	cd "$DOS_BUILD_BASE";
 	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
-	brunch "lineage_$1-userdebug" && processRelease $1 true $2;
+	breakfast "lineage_$1-userdebug" && mka target-files-package otatools && processRelease $1 true $2;
 }
 export -f buildDeviceUserDebug;
 

Scripts/LineageOS-15.1/Functions.sh

@@ -41,13 +41,6 @@ buildDevice() {
 }
 export -f buildDevice;
 
-buildDeviceUserDebug() {
-	cd "$DOS_BUILD_BASE";
-	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
-	breakfast "lineage_$1-userdebug" && mka target-files-package otatools && processRelease $1 true $2;
-}
-export -f buildDeviceUserDebug;
-
 buildDeviceDebug() {
 	cd "$DOS_BUILD_BASE";
 	unset OTA_KEY_OVERRIDE_DIR;

Scripts/LineageOS-15.1/Patch.sh

@@ -63,8 +63,7 @@ sed -i 's/!= 2048/< 2048/' tools/dumpkey/DumpPublicKey.java; #Allow 4096-bit key
 sed -i 's/(!has_serial_number || serial_number_matched)/!has_serial_number/' recovery.cpp; #Abort on serial number specific packages (GrapheneOS)
 
 enterAndClear "build/make";
-patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
-awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
+patch -p1 < "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
 sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/treble_common.mk; #Switch to Silence
 

Scripts/LineageOS-16.0/Functions.sh

@@ -41,13 +41,6 @@ buildDevice() {
 }
 export -f buildDevice;
 
-buildDeviceUserDebug() {
-	cd "$DOS_BUILD_BASE";
-	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
-	breakfast "lineage_$1-userdebug" && mka target-files-package otatools && processRelease $1 true $2;
-}
-export -f buildDeviceUserDebug;
-
 buildDeviceDebug() {
 	cd "$DOS_BUILD_BASE";
 	unset OTA_KEY_OVERRIDE_DIR;

Scripts/LineageOS-16.0/Patch.sh

@@ -69,8 +69,7 @@ patch -p1 < "$DOS_PATCHES/android_bootable_recovery/0001-No_SerialNum_Restrictio
 
 enterAndClear "build/make";
 git revert --no-edit 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files
-patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
-awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
+patch -p1 < "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
 sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/treble_common.mk; #Switch to Silence
 

Scripts/LineageOS-17.1/Functions.sh

@@ -41,13 +41,6 @@ buildDevice() {
 }
 export -f buildDevice;
 
-buildDeviceUserDebug() {
-	cd "$DOS_BUILD_BASE";
-	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
-	breakfast "lineage_$1-userdebug" && mka target-files-package otatools && processRelease $1 true $2;
-}
-export -f buildDeviceUserDebug;
-
 buildDeviceDebug() {
 	cd "$DOS_BUILD_BASE";
 	unset OTA_KEY_OVERRIDE_DIR;

Scripts/LineageOS-17.1/Patch.sh

@@ -66,8 +66,7 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio
 
 enterAndClear "build/make";
 patch -p1 < "$DOS_PATCHES/android_build/0001-Restore_TTS.patch"; #Add back PicoTTS and language files
-patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
-awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
+patch -p1 < "$DOS_PATCHES/android_build/0002-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
 sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
 sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/gsi_common.mk; #Switch to Silence
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX

Scripts/LineageOS-18.1/Functions.sh

@@ -41,13 +41,6 @@ buildDevice() {
 }
 export -f buildDevice;
 
-buildDeviceUserDebug() {
-	cd "$DOS_BUILD_BASE";
-	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
-	breakfast "lineage_$1-userdebug" && mka target-files-package otatools && processRelease $1 true $2;
-}
-export -f buildDeviceUserDebug;
-
 buildDeviceDebug() {
 	cd "$DOS_BUILD_BASE";
 	unset OTA_KEY_OVERRIDE_DIR;

Scripts/LineageOS-18.1/Patch.sh

@@ -63,7 +63,6 @@ patch -p1 < "$DOS_PATCHES/android_bootable_recovery/0001-No_SerialNum_Restrictio
 enterAndClear "build/make";
 patch -p1 < "$DOS_PATCHES/android_build/0001-Restore_TTS.patch"; #Add back PicoTTS and language files
 patch -p1 < "$DOS_PATCHES/android_build/0002-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
-awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
 sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
 sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/aosp_product.mk; #Switch to Silence
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX

Scripts/init.sh

@@ -151,6 +151,8 @@ export DOS_SCRIPTS_CVES=$DOS_SCRIPTS"CVE_Patchers/";
 
 export KBUILD_BUILD_USER="emy";
 export KBUILD_BUILD_HOST="dosbm";
+export BUILD_USERNAME="emy";
+export BUILD_HOSTNAME="dosbm";
 
 export ANDROID_JACK_VM_ARGS="-Xmx6144m -Xms512m -Dfile.encoding=UTF-8 -XX:+TieredCompilation";
 export JACK_SERVER_VM_ARGUMENTS="${ANDROID_JACK_VM_ARGS}";
@@ -158,6 +160,7 @@ export EXPERIMENTAL_USE_JAVA8=true;
 export GRADLE_OPTS="-Xmx2048m";
 export TZ=:/etc/localtime;
 export LC_ALL=C;
+export LANG=en_US.UTF-8;
 alias patch='patch --no-backup-if-mismatch';
 
 #START OF VERIFICATION