CalyxOS

Signing CalyxOS builds

Contents

CalyxOS is built on a dedicated server and then signed separately. It can be signed on the same machine, but it has to be in a different directory.

Build

  • You need to have a build environment setup first, and a build of CalyxOS.
  • Choose ‘user’ when running lunch.
  • For signing, you want to build a ‘target-files-package’ using m target-files-package
  • You’ll also want to build the tools needed for signing and key creation, m otatools-package otatools-keys-package

Copy:

  • $OUT/otatools.zip
  • $OUT/obj/PACKAGING/target_files_intermediates/*.zip

to a separate folder for signing.

Also copy:

  • $OUT/otatools-keys.zip

if you need to create the keys used to sign the OS.

Generating keys

If you’re signing CalyxOS for the first time, you will need to create the necessary keys.

You should unzip the ‘otatools-keys.zip’ from the above step, preferably on an offline machine.

Run:

  • ./vendor/calyx/scripts/mkkeys.sh to generate the keys needed for all devices. Do not set a password as the signing scripts do not support that currently.

If you’re building for the Mi A2 / jasmine_sprout, you should copy keys/jasmine_sprout/verity.x509.pem to kernel/xiaomi/jasmine_sprout/certs/ in the CalyxOS source code and then rebuild.

Next, run:

  • ./vendor/calyx/scripts/mkcommonkeys.sh to create some common keys used to sign apps. These are used to sign certain apps put into the OS such as Trichrome (Chromium) and F-Droid.

Signing

This assumes you’ve generated the keys as mentioned above.

In a folder, you should have ‘otatools.zip’, the ‘calyx_device-target-files.zip’, and ‘keys’. ‘keys’ can be a symlink.

Sign the build

This will sign the build, and create ota update zips and factory images.

export BUILD_NUMBER=eng.$USERNAME.date # Get this from the filename
unzip otatools.zip
./vendor/calyx/scripts/release.sh sunfish calyx_sunfish-target_files-${BUILD_NUMBER}.zip # Replace sunfish with your device

Generate incremental OTAs

If you have an older build, you should symlink that to ‘archive’, and then you can generate an incremental OTA using:

export PREV_BUILD_NUMBER=eng.$USERNAME.prevdate # Get this from the filename
./vendor/calyx/scripts/generate_delta.sh sunfish ${PREV_BUILD_NUMBER} ${BUILD_NUMBER} # Replace sunfish with your device

Generate metadata for the update server

./vendor/calyx/scripts/generate_metadata.py out/release-sunfish-${BUILD_NUMBER}/sunfish-ota_update-${BUILD_NUMBER}.zip # Replace sunfish with your device


References: