CalyxOS

Signing CalyxOS builds

Contents

CalyxOS is built on a dedicated server and then signed separately. It can be signed on the same machine, but it has to be in a different directory.

Build

  • You need to have a build environment setup first, and a build of CalyxOS.
  • Choose ‘user’ when running lunch.
  • For signing, you want to build a ‘target-files-package’ using m target-files-package
  • You’ll also want to build the tools needed for signing and key creation, m otatools-package otatools-keys-package

Copy:

  • $OUT/otatools.zip
  • $OUT/obj/PACKAGING/target_files_intermediates/*.zip

to a separate folder for signing.

Also copy:

  • $OUT/otatools-keys.zip

if you need to create the keys used to sign the OS.

Generating keys

If you’re signing CalyxOS for the first time, you will need to create the necessary keys.

You should unzip the ‘otatools-keys.zip’ from the above step, preferably on an offline machine.

Run:

  • ./vendor/calyx/scripts/mkkeys.sh to generate the keys needed for each device. Do not set a password as the signing scripts do not support that currently.

Next, run:

  • ./vendor/calyx/scripts/mkcommonkeys.sh to create some common keys used to sign apps. These are used to sign certain apps put into the OS such as Trichrome (Chromium) and F-Droid. These keys are shared between different devices.

Example:

./vendor/calyx/scripts/mkkeys.sh keys/bluejay '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com' # Replace bluejay with your device
./vendor/calyx/scripts/mkcommonkeys.sh keys/common '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'

Signing

This assumes you’ve generated the keys as mentioned above.

In a folder, you should have ‘otatools.zip’, the ‘calyx_device-target-files.zip’, and ‘keys’. ‘keys’ can be a symlink.

Sign the build

This will sign the build, and create ota update zips and factory images.

export BUILD_NUMBER=eng.$USERNAME.date # Get this from the filename
unzip otatools.zip
./vendor/calyx/scripts/release.sh bluejay calyx_bluejay-target_files-${BUILD_NUMBER}.zip # Replace bluejay with your device

Generate incremental OTAs

If you have an older build, you should symlink that to ‘archive’, and then you can generate an incremental OTA using:

export PREV_BUILD_NUMBER=eng.$USERNAME.prevdate # Get this from the filename
./vendor/calyx/scripts/generate_delta.sh bluejay ${PREV_BUILD_NUMBER} ${BUILD_NUMBER} # Replace bluejay with your device

Generate metadata for the update server

./vendor/calyx/scripts/generate_metadata.py out/release-bluejay-${BUILD_NUMBER}/bluejay-ota_update-${BUILD_NUMBER}.zip # Replace bluejay with your device


References: