The sign process must take place in a secure environment where the access to the private key is restricted. Usually, a development server generates the artifacts but are signed externally in a secure environment. The required artifacts to sign externally are:

Android sources includes these signing tools, some are scripts and others code files to compile. To use them, you have to install the sources and build your project, so you get the required binaries from its code. To avoid this process, the file otatools.zip is generated next to the ccimx8xsbcpro-target_files-<build_id>.zip when building a distribution.

Follow these steps to externally sign and create the release artifacts in a secure environment:

  1. Copy the files otatools.zip and ccimx8xsbcpro-target_files-<build_id>.zip to the secure server where the private release keys are also accessible. See Build your custom distribution to know how to get these files.

    For example, you can copy them to the home directory. In this case, you have:

    $ ls -l ~
    drwxrwxr-x 10 user user       4096 may 22 11:31 android-certs
    -rw-rw-r--  1 user user 1161132523 may 22 11:35 ccimx8xsbcpro-target_files-<build_id>.zip
    -rw-rw-r--  1 user user   47440413 may 22 11:35 otatools.zip
  2. Uncompress the otatools.zip file to a directory, for example ~/otatools:

    $ unzip ~/otatools.zip -d ~/otatools
  3. Change to the directory where the tools are uncompressed.

    $ cd ~/otatools
  4. Sign the target_files zip with your private key:

    $ ./releasetools/sign_target_files_apks \
      -p ~/otatools \
      -o \
      -d ~/android-certs \
      ~/ccimx8xsbcpro-target_files-<build_id>.zip \
      ~/signed-target_files.zip
  5. With the target_files already signed you can:

    • Generate your raw images:

      $ ./releasetools/img_from_target_files \
        -p ~/otatools \
        ~/signed-target_files.zip \
        ~/signed-img.zip
    • Create a signed update package:

      • A full update package:

        $ ./releasetools/ota_from_target_files \
          -p ~/otatools \
          -k ~/android-certs/releasekey \
          ~/signed-target-files.zip \
          ~/full-ota-update.zip
      • An incremental update package:

        $ ./releasetools/ota_from_target_files \
          -p ~/otatools \
          -k ~/android-certs/releasekey \
          -i ~/A-signed-target_files.zip ~/B-signed-target_files.zip \
          ~/A_to_B-incremental-ota-update.zip