Signing LineageOS builds with your own dev-keys

lineage-signing-builds.md

Generating dev-keys to sign android builds

All you need is an Android buildsystem (LineageOS is recommended)
NOTE: For Lineage 21 and newer, different steps are required.

PART 1: GENERATING KEYS

1. Export your infos (replace examples with your infos)

subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]'

C: Country shortform
ST: Country longform
L: Location (I used federal state)
O, OU, CN: Your Name
emailAddress: Your email
For example:

subject='/C=DE/ST=Germany/L=Berlin/O=Max Mustermann/OU=Max Mustermann/CN=Max Mustermann/[email protected]'

2. Generate the keys

mkdir ~/.android-certs

for x in releasekey platform shared media networkstack testkey cyngn-priv-app bluetooth sdk_sandbox verifiedboot; do \
    ./development/tools/make_key ~/.android-certs/$x "$subject"; \
done

Note:

• cyngn-priv-app is only needed if building 14.1 and older.
• bluetooth, sdk_sandbox and verifiedboot are needed since Android 13.
• DO NOT set a password for the keys. If you do, you won't be able to use them for building!

PART 2: SETTING UP PRIVATE VENDOR REPO

1. Create the vendor repo

mkdir vendor/extra

For Lineage 21 and newer:

mkdir vendor/lineage-priv

2. Move your keys to the vendor repo

mv ~/.android-certs vendor/extra/keys

For Lineage 21 and newer:

mv ~/.android-certs vendor/lineage-priv/keys

3. Create a makefile and add the following line

echo "PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/extra/keys/releasekey" > vendor/extra/product.mk

For Lineage 21 and newer:

echo "PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/lineage-priv/keys/releasekey" > vendor/lineage-priv/keys/keys.mk

A BUILD.bazel in vendor/lineage-priv/keys is also required for Lineage 21 and newer containing the following:

filegroup(
    name = "android_certificate_directory",
    srcs = glob([
        "*.pk8",
        "*.pem",
    ]),
    visibility = ["//visibility:public"],
)

You might also need this commit if you're not building Lineage.

Note: NEVER PUBLISH THIS VENDOR REPO, AS IT CONTAINS YOUR OWN SIGNATURE KEYS! IF YOU PUBLISH THEM, IT WILL HAVE THE SAME SECURITY RISKS AS BUILDING WITH TEST-KEYS!

PART 3: SIGNING YOUR BUILDS

• Most roms (for example LineageOS) automatically includes vendor/extra/product.mk (or vendor/lineage-priv/keys/keys.mk in Lineage 21 or newer). If your rom doesn't, add -include vendor/extra/product.mk (or -include vendor/lineage-priv/keys/keys.mk) to your device tree.
• When everything worked fine, your builds should be signed with dev-keys.

References and Credits

• LineageOS Wiki
• Linux4 for being a pro
• bengris32 for additional steps in Lineage 21

pro cat 2024 plus edition XR

Pro+

Pro cat deb

pro vayu deb

lineage 20 use -include vendor/extra/product.mk right? i get confused cause in their vendor common.mk it says -include vendor/lineage-priv/keys/keys.mk

how to know if my build is signed? thanks

Shows like this

Can you reupload the picture and also show us the step by step process command wise? I tried to do this guide on an older a13, evox rom and it didn't work at all with those payload signign steps. Also where in this guide does it include the steps to sign the APEX files with a 4096 RSA key?

I have also attached an Ubuntu WSL log for evolution x a13 rom, maybe someone can spot why it doesn't get signed properly? When I boot into this rom, all the apps crash and there's no wifi or cell service.
EDIT: It won't let me upload a zip or txt file so here is a download of the log: https://file.io/OalJcyU0m7Jy
https://easyupload.io/b8sawl

I have also attached an Ubuntu WSL log for evolution x a13 rom, maybe someone can spot why it doesn't get signed properly? When I boot into this rom, all the apps crash and there's no wifi or cell service. EDIT: It won't let me upload a zip or txt file so here is a download of the log: https://file.io/OalJcyU0m7Jy https://easyupload.io/b8sawl

The end of the log shows the zip being signed with the provided key. Transitioning to a signed rom requires clean flash / format data, hence the apps crashing. 4096 might be too strong depending on the hardware.

How I can sign the custom rom zip file which is already build without signing method?

How I can sign the custom rom zip file which is already build without signing method?

I'm not sure, But I think you have to rebuild the rom with keys

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".
use it

for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do \
    ./development/tools/make_key ~/.android-certs/$cert "$subject"; \
done

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".
use it

for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do \
    ./development/tools/make_key ~/.android-certs/$cert "$subject"; \
done

This was more to be meant as a bug report, than a support request. But thanks anyway

When i use the for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do
./development/tools/make_key ~/.android-certs/$cert "$subject";
done

It just hangs after i press enter, and no key will be generated

I use fedora 40

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".
use it

for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do \
    ./development/tools/make_key ~/.android-certs/$cert "$subject"; \
done

this didnt work for me same nfc.x509.pem does not exist

Thanks so much.

LineageOS 21. "Path vendor/lineage-priv/keys/nfc.x509.pem does not exist or is not a file!" I think there is a key missing. But could also be specific to my device "beyond2lte".
use it

for cert in bluetooth cyngn-app media networkstack nfc platform releasekey sdk_sandbox shared testcert testkey verity; do \
    ./development/tools/make_key ~/.android-certs/$cert "$subject"; \
done

this didnt work for me same nfc.x509.pem does not exist

Did you find the solution?

A question about PART 3: SIGNING YOUR BUILDS. If the rom doesn't include vendor/extra/product.mk, I add -include vendor/extra/product.mk in DT and run the build normally right ? After the build is done do I have to do any other steps ? Sorry I also read the guide in LoS wiki and got consfused.
I was building crDroid and while building I didn't saw any log or something which showed to include product.mk so I added it in DT and received this error cannot assign to readonly variable: PRODUCT_DEFAULT_DEV_CERTIFICATE
Any help is appreciated, thanks.

Yes, simply include this makefile in your device.mk. No additional steps are needed after building, the steps on LOS wiki are for release-keys signing.

Sorry, I would like to know, just to clarify, if this method get the same outcome of that describe on LOS wiki, thank you