Skip to content

Instantly share code, notes, and snippets.

@A2L5E0X1

A2L5E0X1/lineage-signing-builds.md

Last active January 2, 2025 04:54
Show Gist options
  • Save A2L5E0X1/54cb1b3a49030a9ebf8608b4e68073f5 to your computer and use it in GitHub Desktop.
Save A2L5E0X1/54cb1b3a49030a9ebf8608b4e68073f5 to your computer and use it in GitHub Desktop.
Download ZIP
Signing LineageOS builds with your own dev-keys
Raw
lineage-signing-builds.md

Generating dev-keys to sign android builds

All you need is an Android buildsystem (LineageOS is recommended)
NOTE: For Lineage 21 and newer, different steps are required.

PART 1: GENERATING KEYS

  1. Export your infos (replace examples with your infos)
subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]'

C: Country shortform
ST: Country longform
L: Location (I used federal state)
O, OU, CN: Your Name
emailAddress: Your email
For example:

subject='/C=DE/ST=Germany/L=Berlin/O=Max Mustermann/OU=Max Mustermann/CN=Max Mustermann/[email protected]'
  1. Generate the keys
mkdir ~/.android-certs

for x in releasekey platform shared media networkstack testkey cyngn-priv-app bluetooth sdk_sandbox verifiedboot; do \
    ./development/tools/make_key ~/.android-certs/$x "$subject"; \
done

Note:

  • cyngn-priv-app is only needed if building 14.1 and older.
  • bluetooth, sdk_sandbox and verifiedboot are needed since Android 13.
  • DO NOT set a password for the keys. If you do, you won't be able to use them for building!

PART 2: SETTING UP PRIVATE VENDOR REPO

  1. Create the vendor repo
mkdir vendor/extra

For Lineage 21 and newer:

mkdir vendor/lineage-priv
  1. Move your keys to the vendor repo
mv ~/.android-certs vendor/extra/keys

For Lineage 21 and newer:

mv ~/.android-certs vendor/lineage-priv/keys
  1. Create a makefile and add the following line
echo "PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/extra/keys/releasekey" > vendor/extra/product.mk

For Lineage 21 and newer:

echo "PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/lineage-priv/keys/releasekey" > vendor/lineage-priv/keys/keys.mk

A BUILD.bazel in vendor/lineage-priv/keys is also required for Lineage 21 and newer containing the following:

filegroup(
    name = "android_certificate_directory",
    srcs = glob([
        "*.pk8",
        "*.pem",
    ]),
    visibility = ["//visibility:public"],
)

You might also need this commit if you're not building Lineage.

Note: NEVER PUBLISH THIS VENDOR REPO, AS IT CONTAINS YOUR OWN SIGNATURE KEYS! IF YOU PUBLISH THEM, IT WILL HAVE THE SAME SECURITY RISKS AS BUILDING WITH TEST-KEYS!

PART 3: SIGNING YOUR BUILDS

  • Most roms (for example LineageOS) automatically includes vendor/extra/product.mk (or vendor/lineage-priv/keys/keys.mk in Lineage 21 or newer). If your rom doesn't, add -include vendor/extra/product.mk (or -include vendor/lineage-priv/keys/keys.mk) to your device tree.
  • When everything worked fine, your builds should be signed with dev-keys.

References and Credits

  • LineageOS Wiki
  • Linux4 for being a pro
  • bengris32 for additional steps in Lineage 21
@GXC2356
Copy link

GXC2356 commented May 27, 2024

Pro

@cat658011
Copy link

big very pro pro max 2075 edition

@anoosragh69
Copy link

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

BUILD.bazel goes into the vendor repo.

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

Oops my bad, they're supposed to be in vendor/lineage-priv/keys. Let me fix the guide, thanks for telling!

So the path of BUILD.bazel would be vendor/lineage-priv/keys ?

I saw some roms putting them into an entirely diff dir named signing😅

@suvojit213
Copy link

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

BUILD.bazel goes into the vendor repo.

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

Oops my bad, they're supposed to be in vendor/lineage-priv/keys. Let me fix the guide, thanks for telling!

So the path of BUILD.bazel would be vendor/lineage-priv/keys ?

I saw some roms putting them into an entirely diff dir named signing😅

They Support Sign with Private keys from source by default

@anoosragh69
Copy link

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

BUILD.bazel goes into the vendor repo.

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

Oops my bad, they're supposed to be in vendor/lineage-priv/keys. Let me fix the guide, thanks for telling!

So the path of BUILD.bazel would be vendor/lineage-priv/keys ?
I saw some roms putting them into an entirely diff dir named signing😅

They Support Sign with Private keys from source by default

Well obv, but that wasn't my qns. I was asking about the function of the bazel file there

@A2L5E0X1
Copy link
Author

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Understood. Thanks a lot. Btw BUILD.bazel goes into DT or the rom directory ? Also I assume I can create it with nano ?

BUILD.bazel goes into the vendor repo.

In step 2,

mv ~/.android-certs vendor/lineage-priv/keys

the corret path for the keys is vendor/lineage-priv/keys/.android-certs ??

Oops my bad, they're supposed to be in vendor/lineage-priv/keys. Let me fix the guide, thanks for telling!

So the path of BUILD.bazel would be vendor/lineage-priv/keys ?

I saw some roms putting them into an entirely diff dir named signing😅

Yes, or vendor/extra/keys, depending on what you're actually using.

@anoosragh69
Copy link

actually

Ok thnkz for clarifying

@anoosragh69
Copy link

anoosragh69 commented May 27, 2024
edited
Loading

shouldnt we need a BUILD file for bazel to recognize the dir as a package?

or did i misinterpret the use of it here?

@jayz1212
Copy link

how to know if my build is signed? thanks

@suvojit213
Copy link

how to know if my build is signed? thanks

1000000427
Shows like this

@jayz1212
Copy link

how to know if my build is signed? thanks

1000000427 Shows like this

thanks

@jayz1212
Copy link

how to know if my build is signed? thanks

1000000427 Shows like this

what command should i use? is it m bacon or mka target-files-package otatools? thanks

@twu2
Copy link

twu2 commented May 28, 2024

what command should i use? is it m bacon or mka target-files-package otatools? thanks

just make bacon as before, the created zip file will sign with dev keys.

@jayz1212
Copy link

what command should i use? is it m bacon or mka target-files-package otatools? thanks

just make bacon as before, the created zip file will sign with dev keys.

thanks

@GXC2356
Copy link

GXC2356 commented May 29, 2024

Pro+

Pro cat deb

@cat658011
Copy link

pro cat 2024 plus edition XR

@Sanjivns
Copy link

Pro+

Pro cat deb

pro vayu deb

@jayz1212
Copy link

jayz1212 commented Jun 4, 2024
edited
Loading

lineage 20 use -include vendor/extra/product.mk right? i get confused cause in their vendor common.mk it says -include vendor/lineage-priv/keys/keys.mk

@athanatos1
Copy link

athanatos1 commented Jun 7, 2024
edited
Loading

how to know if my build is signed? thanks

1000000427 Shows like this

Can you reupload the picture and also show us the step by step process command wise? I tried to do this guide on an older a13, evox rom and it didn't work at all with those payload signign steps. Also where in this guide does it include the steps to sign the APEX files with a 4096 RSA key?

@athanatos1
Copy link

athanatos1 commented Jun 7, 2024
edited
Loading

I have also attached an Ubuntu WSL log for evolution x a13 rom, maybe someone can spot why it doesn't get signed properly? When I boot into this rom, all the apps crash and there's no wifi or cell service.
EDIT: It won't let me upload a zip or txt file so here is a download of the log: https://file.io/OalJcyU0m7Jy
https://easyupload.io/b8sawl

@Joe7500
Copy link

Joe7500 commented Jun 8, 2024

I have also attached an Ubuntu WSL log for evolution x a13 rom, maybe someone can spot why it doesn't get signed properly? When I boot into this rom, all the apps crash and there's no wifi or cell service. EDIT: It won't let me upload a zip or txt file so here is a download of the log: https://file.io/OalJcyU0m7Jy https://easyupload.io/b8sawl

The end of the log shows the zip being signed with the provided key. Transitioning to a signed rom requires clean flash / format data, hence the apps crashing. 4096 might be too strong depending on the hardware.

@arsalan-zeus
Copy link

How I can sign the custom rom zip file which is already build without signing method?

@IT21037306
Copy link

How I can sign the custom rom zip file which is already build without signing method?

I'm not sure, But I think you have to rebuild the rom with keys

@MarkusTieger
Copy link

MarkusTieger commented Jun 30, 2024
edited
Loading

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".

@cat658011
Copy link

cat658011 commented Jul 1, 2024
edited
Loading

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".
use it

for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do \
    ./development/tools/make_key ~/.android-certs/$cert "$subject"; \
done

@MarkusTieger
Copy link

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".
use it

for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do \
    ./development/tools/make_key ~/.android-certs/$cert "$subject"; \
done

This was more to be meant as a bug report, than a support request. But thanks anyway

@pckotzer
Copy link

pckotzer commented Jul 20, 2024
edited
Loading

When i use the for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do
./development/tools/make_key ~/.android-certs/$cert "$subject";
done

It just hangs after i press enter, and no key will be generated

I use fedora 40

@Butterfingerss
Copy link

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".
use it

for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do \
    ./development/tools/make_key ~/.android-certs/$cert "$subject"; \
done

this didnt work for me same nfc.x509.pem does not exist

@earthwlove
Copy link

Thanks so much.

@elohim-etz
Copy link

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".
use it

for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do \
    ./development/tools/make_key ~/.android-certs/$cert "$subject"; \
done

this didnt work for me same nfc.x509.pem does not exist

Did you find the solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment