The sign process must take place in a secure environment where the access to the private key is restricted. Usually, a development server generates the artifacts but are signed externally in a secure environment. The required artifacts to sign externally are:

Android sources includes these signing tools, some are scripts and others code files to compile. To use them, you have to install the sources and build your project, so you get the required binaries from its code.

Follow these steps to externally sign and create the release artifacts in a secure environment:

  1. Setup the secure server:

    1. Set up your environment and install the sources. If you have not already done so, see Set up your development workstation and Install Digi Embedded for Android.

    2. Change to the directory where the source code is installed.

      $ cd dea-11.0-r2

    3. Initialize the build environment:

      $ source build/envsetup.sh

    4. Select a ConnectCore 8M Mini target to build:

      • ccimx8mmdvk-user creates images with no root access, suitable for production.

      • ccimx8mmdvk-userdebug like user images but with root access and debug capability.

        For more information about build types, go to Choosing a target.

        For production, use user build type:

        $ lunch ccimx8mmdvk-user

============================================
PLATFORM_VERSION_CODENAME=REL
PLATFORM_VERSION=11
TARGET_PRODUCT=ccimx8mmdvk
TARGET_BUILD_VARIANT=user
TARGET_BUILD_TYPE=release
TARGET_ARCH=arm64
TARGET_ARCH_VARIANT=armv8-a
TARGET_CPU_VARIANT=cortex-a53
TARGET_2ND_ARCH=arm
TARGET_2ND_ARCH_VARIANT=armv7-a-neon
TARGET_2ND_CPU_VARIANT=cortex-a9
HOST_ARCH=x86_64
HOST_2ND_ARCH=x86
HOST_OS=linux
HOST_OS_EXTRA=Linux-4.15.0-142-generic-x86_64-Ubuntu-18.04.5-LTS
HOST_CROSS_OS=windows
HOST_CROSS_ARCH=x86
HOST_CROSS_2ND_ARCH=x86_64
HOST_BUILD_TYPE=release
BUILD_ID=RP1A.201005.004
OUT_DIR=out
PRODUCT_SOONG_NAMESPACES=device/generic/goldfish device/generic/goldfish-opengl external/mesa3d vendor/nxp-opensource/imx/power hardware/google/pixel vendor/partner_gms hardware/google/camera vendor/nxp-opensource/imx/camera
============================================
$

  2. Copy the ccimx8mmdvk-target_files-<build_id>.zip file to the secure server where the private release keys are also accessible. See Build your custom distribution to know how to get these files.

    For example, you can copy it to the home directory. In this case, you have:

    $ ls -l ~
drwxrwxr-x 10 user user       4096 may 22 11:31 android-certs
-rw-rw-r--  1 user user 1161132523 may 22 11:35 ccimx8mmdvk-target_files-<build_id>.zip

  3. Sign the target_files zip with your private key:

    $ sign_target_files_apks \
  -o \
  -d ~/android-certs \
  ~/ccimx8mmdvk-target_files-<build_id>.zip \
  ~/signed-target_files.zip

  4. With the target_files already signed you can:

    • Generate your raw images:

      $ img_from_target_files \
  --additional 'IMAGES/product.img:product.img' \
  --additional 'IMAGES/super_empty.img:super_empty.img' \
  --additional 'IMAGES/system.img:system.img' \
  --additional 'IMAGES/system_ext.img:system_ext.img' \
  --additional 'IMAGES/vendor.img:vendor.img' \
  ~/signed-target_files.zip \
  ~/signed-img.zip

    • Create a signed update package:

      • A full update package:

        $ ota_from_target_files \
  -k ~/android-certs/releasekey \
  ~/signed-target-files.zip \
  ~/full-ota-update.zip

      • An incremental update package:

        $ ota_from_target_files \
  -k ~/android-certs/releasekey \
  -i ~/A-signed-target_files.zip ~/B-signed-target_files.zip \
  ~/A_to_B-incremental-ota-update.zip

    • Generate the OTA configuration file:

      To execute it you must add the release tools to the PYTHONPATH:

      $ PYTHONPATH=$ANDROID_BUILD_TOP/build/make/tools/releasetools:$PYTHONPATH \
  bootable/recovery/updater_sample/tools/gen_update_config.py \
  --ab_install_type=STREAMING \
  --ab_force_switch_slot \
  full-ota-update.zip  \
  full-ota-update.json \
  http://foo.bar/ota-builds/full-ota-update.zip
For more information, see https://source.android.com/devices/tech/ota/sign_builds.