Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Option to re-sign prebuilt factory images / updates with users own key #215
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
xmikos
Mar 24, 2016
If it would be somehow relatively easily possible (what about e.g. dm-verity?), I plan to write and publish scripts to help users with whole process. When you release new OTA update zip, script will download it, modify it (add user specified packages / modifications), possibly recalculate dm-verity hashes (or how does it work - I didn't looked at dm-verity more thoroughly yet) and re-sign it with user supplied key.
Is this scenario realistic or am I missing something?
xmikos
commented
Mar 24, 2016
|
If it would be somehow relatively easily possible (what about e.g. dm-verity?), I plan to write and publish scripts to help users with whole process. When you release new OTA update zip, script will download it, modify it (add user specified packages / modifications), possibly recalculate dm-verity hashes (or how does it work - I didn't looked at dm-verity more thoroughly yet) and re-sign it with user supplied key. Is this scenario realistic or am I missing something? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Mar 24, 2016
Contributor
It would be possible, but I might have to publish the target_files zip in addition to the stuff that's there now. The normal build process uses the test keys which are then replaced with the real keys after the build.
|
It would be possible, but I might have to publish the target_files zip in addition to the stuff that's there now. The normal build process uses the test keys which are then replaced with the real keys after the build. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
xmikos
Mar 24, 2016
@thestinger target_files zip? What exactly is that? If it is needed for dm-verity / secure boot to work in this scenario, I would be really grateful if you will publish it together with update zips.
xmikos
commented
Mar 24, 2016
|
@thestinger target_files zip? What exactly is that? If it is needed for dm-verity / secure boot to work in this scenario, I would be really grateful if you will publish it together with update zips. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Mar 24, 2016
Contributor
Look at the signing step in https://copperhead.co/android/docs/building.
|
Look at the signing step in https://copperhead.co/android/docs/building. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
xmikos
Apr 6, 2016
@thestinger Please can you start publishing target_files.zip? I would really like to do this, without it everyone who modify Copperhead is then stuck with unlocked bootloader.
I have looked into possibility of converting whole factory image into target files directory structure, but there are some parts missing...
xmikos
commented
Apr 6, 2016
|
@thestinger Please can you start publishing target_files.zip? I would really like to do this, without it everyone who modify Copperhead is then stuck with unlocked bootloader. I have looked into possibility of converting whole factory image into target files directory structure, but there are some parts missing... |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment|
I'll try to get to this soon. I think it's a good idea. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Apr 25, 2016
Contributor
The target files will now be published with each release. The 2016.04.25.16.44.01 release is the first: https://builds.copperhead.co/builds/bullhead-target_files-2016.04.25.16.44.01.zip. You can figure out the URL by taking the ota update URL and replacing ota_update with target_files.
|
The target files will now be published with each release. The 2016.04.25.16.44.01 release is the first: https://builds.copperhead.co/builds/bullhead-target_files-2016.04.25.16.44.01.zip. You can figure out the URL by taking the ota update URL and replacing ota_update with target_files. |
thestinger
closed this
Apr 25, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Apr 25, 2016
Contributor
The signing process here should work: https://copperhead.co/android/docs/building. It covers all the details like the need to replace the Nexus 5X update-binary with one from the stock OTA updates (which is part of the CopperheadOS source tree) for the LG updater functionality that's statically linked into it.
|
The signing process here should work: https://copperhead.co/android/docs/building. It covers all the details like the need to replace the Nexus 5X update-binary with one from the stock OTA updates (which is part of the CopperheadOS source tree) for the LG updater functionality that's statically linked into it. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment|
I guess I need to publish a GPG signature for this too. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
xmikos
Apr 25, 2016
Thank you! I will look into it as soon as possible (but I don't have Nexus 5X, I have only Nexus 5, so I guess I would need to wait some more time). Signature will be in https://builds.copperhead.co/builds/bullhead-target_files-2016.04.25.16.44.01.zip.sig?
Btw. I have fork of https://github.com/anestisb/android-prepare-vendor/ scripts with support for Nexus 5 Hammerhead (but didn't have time to finish it yet). I hope it will help you to get full support of Nexus 5.
xmikos
commented
Apr 25, 2016
|
Thank you! I will look into it as soon as possible (but I don't have Nexus 5X, I have only Nexus 5, so I guess I would need to wait some more time). Signature will be in https://builds.copperhead.co/builds/bullhead-target_files-2016.04.25.16.44.01.zip.sig? Btw. I have fork of https://github.com/anestisb/android-prepare-vendor/ scripts with support for Nexus 5 Hammerhead (but didn't have time to finish it yet). I hope it will help you to get full support of Nexus 5. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Apr 25, 2016
Contributor
Yeah, the signature is now available along with the Nexus 5 release (Nexus 9 is still building):
https://builds.copperhead.co/builds/hammerhead-target_files-2016.04.25.16.44.01.zip
https://builds.copperhead.co/builds/hammerhead-target_files-2016.04.25.16.44.01.zip.sig
|
Yeah, the signature is now available along with the Nexus 5 release (Nexus 9 is still building): https://builds.copperhead.co/builds/hammerhead-target_files-2016.04.25.16.44.01.zip |
xmikos commentedMar 24, 2016
Is it possible to re-sign prebuilt factory images (or updates) with users own key? I know user can sign it yourself when building from source, but I would want to do it with images built by you.
Why you may ask? I want to be able to modify factory images / updates (to e.g. include GApps, seSuperuser, etc.) but still want to be able to have secure boot (locked bootloader). Now if I modify Copperhead OS by update.zip sideloading (via TWRP), I must have unlocked bootloader and device is suspectible to evil-maid type of attacks.