Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Update verifying_builds.md #99
I have just learned, that the Lineage team has changed the way they sign the public builds. I got to know why the **keytool** keep telling me: `Not a signed jar file` from this [post](https://forum.fairphone.com/t/official-lineageos-15-1-builds-not-signed/42173). Please update your wiki page! :-)
Also: the update_verifier uses an embedded public key, but I don't see any way to get a fingerprint of that key that is posted to a public site (as was done with the old method at https://wiki.lineageos.org/verifying-builds.html).
What is the advantage of the new approach? Using the signed jar file inspired a lot of confidence because it is such a well-known method, and easy to test using a tool (keytool) from outside the site of the code we're validating.
I suggest dropping the old instructions completely. There is no use in carrying sold stuff. The new way seems to work for old archives, too. (t least for the archive I've tested.)
Anyway the new instructions have several issues:
Preferable and recommended way is to use a virtual environment:
@brad2014 I described the way to re-establish the chain of trust after the way to verify public builds has changed here: https://www.goebel-consult.de/blog/really-verifying-lineageos-build-authenticity