AOSP building: replace my own keys with default test-keys

Question

I am building AOSP and I want to sign the build with my own key. There is some official doc about this process here.

But I wonder if I can simply turn around all of that process and instead do this things:

1. Delete default android test-keys which are located at build/target/product/security
2. put my keys (which are generated using official instructions at here) in that folder with same names. (Assume one key for all of shared,media,...)

But this approach does not work. After burning the image, system apps (SystemUI, settings,..) will stop and continuously show the ANR dialog. I know this happens if system signature does not match with these apps's signature... but why?

Another question: Is using same key as shared.pk8 , media.pk8, testkey.pk8 , ... causes any problem?

Thanks

Answer 1

First, make sure the build has re-signed the apps. You may have to do a make clean to get rid of the previous artifacts.

Also check the Android.mk files for your bundled system apps (like in packages/apps or wherever you may have put them). Where you see this line:

LOCAL_CERTIFICATE := PRESIGNED

replace it with this instead:

LOCAL_CERTIFICATE := platform

This will let the build re-sign your system apps with the key they'll be checked against.

While using the same key for shared, media, testkey, platform will work (in the sense that your system should boot and function), it removes a layer of isolation from apps built with those keys. In particular, non-system apps that are normally signed with the testkey will now be signed with the same key as platform. This will give them access to system app data and code and also give them heightened privileges (like not having to ask the user for confirmation to use the camera or access their files). I don't think that's recommended.

Answer 2

One suggestion:

If you don't want to keep your private keys in source control together with the aosp code, you can define a path to them in your device mk:

PRODUCT_DEFAULT_DEV_CERTIFICATE :=  /home/my_user/release_keys_folder/releasekey
PRODUCT_VERITY_SIGNING_KEY := /home/my_user/release_keys_folder/verity

Answer 3

The recommended method to sign your image with keys use (from Googles AOSP documentations):

make dist
sign_target_files_apks \
-o \
--default_key_mappings ~/.android-certs out/dist/*-target_files-*.zip \
signed-target_files.zip

Then execute:

img_from_target_files signed-target-files.zip signed-img.zip

I wouldn't use the same key, there's a reason why different keys are used.