The signing process must take place in a secure environment where access to private keys is restricted. Usually, a development server generates the artifacts, which are then signed externally in a secure environment.

The required artifacts to generate signed images are:

  1. The private keys to sign for release.

  2. The ccimx8mmdvk-target_files-<build_id>.zip generated by a development server to be signed.

    See 3. Build your images.

  3. The tools to sign the target_files zip and generate the release artifacts.

    Digi Embedded for Android sources include these signing tools; some are scripts, and others are code files to compile. To use them, you must install the sources and build your project so you get the required binaries from its code.

Follow these steps to externally sign and create the release artifacts in a secure environment:

  1. Setup the secure server:

    1. Set up your environment and install the sources. If you have not already done so, see Set up your development workstation and Install Digi Embedded for Android.

    2. Change to the directory where the source code is installed.

      $ cd dea-11.0-r2

    3. Initialize the build environment:

      $ source build/envsetup.sh

    4. Select a ConnectCore 8M Mini target to build:

      • ccimx8mmdvk-user creates images with no root access, suitable for production.

      • ccimx8mmdvk-userdebug like user images but with root access and debug capability.

        For more information about build types, go to Choosing a target.

        For production, use user build type:

        $ lunch ccimx8mmdvk-user

============================================
PLATFORM_VERSION_CODENAME=REL
PLATFORM_VERSION=11
TARGET_PRODUCT=ccimx8mmdvk
TARGET_BUILD_VARIANT=user
TARGET_BUILD_TYPE=release
TARGET_ARCH=arm64
TARGET_ARCH_VARIANT=armv8-a
TARGET_CPU_VARIANT=cortex-a53
TARGET_2ND_ARCH=arm
TARGET_2ND_ARCH_VARIANT=armv7-a-neon
TARGET_2ND_CPU_VARIANT=cortex-a9
HOST_ARCH=x86_64
HOST_2ND_ARCH=x86
HOST_OS=linux
HOST_OS_EXTRA=Linux-4.15.0-142-generic-x86_64-Ubuntu-18.04.5-LTS
HOST_CROSS_OS=windows
HOST_CROSS_ARCH=x86
HOST_CROSS_2ND_ARCH=x86_64
HOST_BUILD_TYPE=release
BUILD_ID=RP1A.201005.004
OUT_DIR=out
PRODUCT_SOONG_NAMESPACES=device/generic/goldfish device/generic/goldfish-opengl external/mesa3d vendor/nxp-opensource/imx/power hardware/google/pixel vendor/partner_gms hardware/google/camera vendor/nxp-opensource/imx/camera
============================================
$

  2. Copy the resources from the development server to the secure server where the private release keys are also accessible. See 3. Build your images to learn how to get these files.

    For example, you can copy them to your home directory, /home/<user>. In this case, you have:

    $ ls -l ~
drwxrwxr-x 10 user user       4096 may 22 11:31 android-certs
-rw-rw-r--  1 user user 1161132523 may 22 11:35 ccimx8mmdvk-target_files-<build_id>.zip

  3. Sign the target_files zip with your private keys:

    $ sign_target_files_apks \
  -o \
  -d ~/android-certs \
  --avb_vbmeta_key ~/android-certs/custom_rsa4096_private.pem \
  --avb_vbmeta_algorithm SHA256_RSA4096 \
  --avb_boot_key ~/android-certs/custom_rsa2048_private.pem \
  --avb_boot_algorithm SHA256_RSA2048 \
  ~/ccimx8mmdvk-target_files-<build_id>.zip \
  ~/signed-target_files.zip

  4. With the target_files already signed you can:

    • Generate your raw images:

      $ img_from_target_files \
  --additional 'IMAGES/product.img:product.img' \
  --additional 'IMAGES/super_empty.img:super_empty.img' \
  --additional 'IMAGES/system.img:system.img' \
  --additional 'IMAGES/system_ext.img:system_ext.img' \
  --additional 'IMAGES/vendor.img:vendor.img' \
  ~/signed-target_files.zip \
  ~/signed-img.zip

    • Create a signed update package:

      • A full update package:

        $ ota_from_target_files \
  -k ~/android-certs/releasekey \
  ~/signed-target-files.zip \
  ~/full-ota-update.zip

      • An incremental update package:

        $ ota_from_target_files \
  -k ~/android-certs/releasekey \
  -i ~/A-signed-target_files.zip ~/B-signed-target_files.zip \
  ~/A_to_B-incremental-ota-update.zip

        For more information, see Create a signed OTA package.

    • Generate the OTA configuration file:

      To execute it you must add the release tools to the PYTHONPATH:

      $ PYTHONPATH=$ANDROID_BUILD_TOP/build/make/tools/releasetools:$PYTHONPATH \
  bootable/recovery/updater_sample/tools/gen_update_config.py \
  --ab_install_type=STREAMING \
  --ab_force_switch_slot \
  full-ota-update.zip  \
  full-ota-update.json \
  http://foo.bar/ota-builds/full-ota-update.zip

      See Update Android with OTA packages.

For more information, see https://source.android.com/devices/tech/ota/sign_builds.