User build Pixel XL: cannot install apps with F-Droid

[Rudd-O]

Errors out with "The privileged permissions have not been granted to the extension."

Ghost commander install attempted. Other apps fail in the same way.

I followed the build and install instructions to the letter.

[thestinger]

You'll need to modify packages/apps/F-Droid/privileged-extension/app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java to include your keys. I haven't had time to write documentation on how to do that or to make it automated.

[thestinger]

You'll need to modify packages/apps/F-Droid/privileged-extension/app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java to include your keys. I haven't had time to write documentation on how to do that or to make it automated.

[Rudd-O]

That at least should be added to the instructions, because the instructions by default do not mention it, and the result OS does not work as advertised. Ideally, this is done already and there's no need for instructions, just a footnote in the building docs.

[Rudd-O]

That at least should be added to the instructions, because the instructions by default do not mention it, and the result OS does not work as advertised. Ideally, this is done already and there's no need for instructions, just a footnote in the building docs.

[Rudd-O]

# Rekey Android F-Droid privileged extension with build keys.
releasefp=$(
keytool -list -printcert -file keys/releasekey.x509.pem | grep SHA256: | awk ' { print $2 } ' | sed 's/://g'
)
platformfp=$(
keytool -list -printcert -file keys/platform.x509.pem | grep SHA256: | awk ' { print $2 } ' | sed 's/://g'
)

pushd packages/apps/F-Droid/privileged-extension
git checkout app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java
sed -i 's|// certificate SHA-256 of https//f-droid.org/FDroid.apk|// certificate SHA-256 of https//f-droid.org/FDroid.apk\n            new Pair<>("org.fdroid.fdroid", "'$releasefp'"), // this build keys|g' app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java
sed -i 's|// certificate SHA-256 of https//f-droid.org/FDroid.apk|// certificate SHA-256 of https//f-droid.org/FDroid.apk\n            new Pair<>("org.fdroid.fdroid", "'$platformfp'"), // this build keys|g' app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java
popd
# End rekey process.

Enjoy!

[Rudd-O]

# Rekey Android F-Droid privileged extension with build keys.
releasefp=$(
keytool -list -printcert -file keys/releasekey.x509.pem | grep SHA256: | awk ' { print $2 } ' | sed 's/://g'
)
platformfp=$(
keytool -list -printcert -file keys/platform.x509.pem | grep SHA256: | awk ' { print $2 } ' | sed 's/://g'
)

pushd packages/apps/F-Droid/privileged-extension
git checkout app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java
sed -i 's|// certificate SHA-256 of https//f-droid.org/FDroid.apk|// certificate SHA-256 of https//f-droid.org/FDroid.apk\n            new Pair<>("org.fdroid.fdroid", "'$releasefp'"), // this build keys|g' app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java
sed -i 's|// certificate SHA-256 of https//f-droid.org/FDroid.apk|// certificate SHA-256 of https//f-droid.org/FDroid.apk\n            new Pair<>("org.fdroid.fdroid", "'$platformfp'"), // this build keys|g' app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java
popd
# End rekey process.

Enjoy!

[thestinger]

Ideally it'd whitelist the OS releasekey automatically. I just don't have time to work on F-Droid too.

[thestinger]

Ideally it'd whitelist the OS releasekey automatically. I just don't have time to work on F-Droid too.

[Rudd-O]

What's the OS release key and how do I do that?

[Rudd-O]

What's the OS release key and how do I do that?

[Rudd-O]

I mean, is what I did above sufficient to get F-Droid to install apps?

[Rudd-O]

I mean, is what I did above sufficient to get F-Droid to install apps?

[thestinger]

I just mean ideally it would automatically use that releasekey.x509.pem key from within the OS rather than having the whitelist that needs to be changed.

[thestinger]

I just mean ideally it would automatically use that releasekey.x509.pem key from within the OS rather than having the whitelist that needs to be changed.

[thestinger]

@Rudd-O Yes just saying it should really use the OS releasekey automatically rather than a hard-wired list.

[thestinger]

@Rudd-O Yes just saying it should really use the OS releasekey automatically rather than a hard-wired list.

[Rudd-O]

That's what the script is meant to do (and does). You should copy and paste that code into the build instructions.

[Rudd-O]

That's what the script is meant to do (and does). You should copy and paste that code into the build instructions.

[Rudd-O]

(Sorry I didn't come up with this sooner. I'm taking some time while I recover from surgery to spin up my build server and get this shit done, so I can finally begin using my Pixel. I did not have time before.)

[Rudd-O]

(Sorry I didn't come up with this sooner. I'm taking some time while I recover from surgery to spin up my build server and get this shit done, so I can finally begin using my Pixel. I did not have time before.)

[thestinger]

Modifying source repositories isn't really appropriate for the build instructions which is why I haven't included this in the instructions. It should be fixed in the code so it uses that key at runtime. Signing is really supposed to be something that can be done entirely after building, i.e. you shouldn't need the keys before building which is currently the case due to both this issue and the new way dm-verity signing works.

[thestinger]

Modifying source repositories isn't really appropriate for the build instructions which is why I haven't included this in the instructions. It should be fixed in the code so it uses that key at runtime. Signing is really supposed to be something that can be done entirely after building, i.e. you shouldn't need the keys before building which is currently the case due to both this issue and the new way dm-verity signing works.

[thestinger]

So ideally, that whitelist wouldn't be modified either by us or users, but instead the privileged extension should automatically trust the OS release key, fetched at runtime.

[thestinger]

So ideally, that whitelist wouldn't be modified either by us or users, but instead the privileged extension should automatically trust the OS release key, fetched at runtime.

[Rudd-O]

I, uh, completely agree with that! Yes. If I knew Java / Android, I'd whip that up right now. Unfortunately, that's not the case. Maybe this bug can be repurposed to track the progress of that, and therefore I can get an update to nil my build script snippet that does this, when the code is in place.

[Rudd-O]

I, uh, completely agree with that! Yes. If I knew Java / Android, I'd whip that up right now. Unfortunately, that's not the case. Maybe this bug can be repurposed to track the progress of that, and therefore I can get an update to nil my build script snippet that does this, when the code is in place.

[Rudd-O]

I want to report that my script above worked as intended and I can now use F-Droid inside the Pixel XL just fine.

Glorious. Thank you.

[Rudd-O]

I want to report that my script above worked as intended and I can now use F-Droid inside the Pixel XL just fine.

Glorious. Thank you.

[Rudd-O]

https://github.com/Rudd-O/copperheados-build

[Rudd-O]

https://github.com/Rudd-O/copperheados-build