The keys.mk
file is a Makefile used in the Android build system to define the paths to various cryptographic keys necessary for signing different components of the Android operating system. These keys ensure the security and integrity of the system.
- Ensure that the keys (both
.pk8
and.x509.pem
) are saved invendor/keys
and are not encrypted. - A better approach is to create a private repository from this template repository and add your key files to your private repository.
The following keys are required for signing your Android build:
platform
releasekey
shared
media
testkey
verity
sdk_sandbox
You can generate the necessary keys using the following script. Copy and paste this script into your terminal, ensuring you are in the root directory of the ROM:
subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
for cert in media platform releasekey sdk_sandbox shared testkey verity; do \
./development/tools/make_key vendor/keys/$cert "$subject"; \
done
Note: You can change the values in the subject according to your preferences.
-
Install OpenSSL: Ensure OpenSSL is installed on your system.
- For debian-based systems
sudo apt-get install openssl
- For Arch-based systems
sudo pacman -S openssl
- For debian-based systems
-
Generate Keys: Use the provided script to generate keys. Each key will consist of a
.x509.pem
certificate and a.pk8
private key.Note : Generate keys without password, the keys should not be encrypted.
The subject line in the script specifies the details for the certificate:
C
: CountryST
: StateL
: Locality (City)O
: OrganizationOU
: Organizational UnitCN
: Common NameemailAddress
: Email address associated with the certificate
-
Store Keys: Ensure the generated keys are stored in the
vendor/keys
directory. The structure should look like this:vendor/keys/ ├── platform.x509.pem ├── platform.pk8 ├── releasekey.x509.pem ├── releasekey.pk8 ├── shared.x509.pem ├── shared.pk8 ├── media.x509.pem ├── media.pk8 ├── testkey.x509.pem ├── testkey.pk8 ├── verity.x509.pem ├── verity.pk8 ├── sdk_sandbox.x509.pem ├── sdk_sandbox.pk8 ├── keys.mk
To include the keys in your Android build, add the following line to your lineage_<device>.mk
file:
include vendor/keys/keys.mk
And mainly dont forget to clone this repo to vendor/keys
By following these steps, you can generate, store, and use cryptographic keys to sign various components of your Android build. This ensures that your build is secure and maintains the integrity of the operating system.