forked from Divested-Mobile/DivestOS-Build
-
Notifications
You must be signed in to change notification settings - Fork 2
Signatures
steadfasterX edited this page Jan 16, 2025
·
1 revision
- Apps within AXP.OS itself are signed with the corresponding build keys
- every device has its own signing key set¹
- flavors of the same device have different signing key sets¹ (see AOS-Flavors)
- Apps provided by 3rd party's might have their own signature
- Apps which are directly part of AXP.OS (or made by them) are signed by the common AXP.OS app signature (see next topic)
Notes:
-
¹)
apps avb avb_pkmd bluetooth cyngn-app cyngn-priv-app extra media networkstack platform releasekey sdk_sandbox shared testkey verity
Signer #1 certificate DN: CN=APK SIGNING KEY, OU=AXP.OS, O=AXP.OS, L=N/A, ST=N/A, C=DE
Signer #1 certificate SHA-256 digest: 005c9805d501bf50c1a8bfd3204b6908843088581fdcf3db8ab4f688ffc0e7b6
Signer #1 certificate SHA-1 digest: 53c4021704a4a565e4833d0620eb38f6808e1316
Signer #1 certificate MD5 digest: 4ff29417c66aeb46375d9e9913b9ffd2
Signer #1 key algorithm: EC
Signer #1 key size (bits): 521
Signer #1 public key SHA-256 digest: f002a63815f5433343677dcbabe110bd1a83a3483136fc97d6385bbe09088bc4
Signer #1 public key SHA-1 digest: 4248c76806aa5a8d5fb897061c3fc01414becf9d
Signer #1 public key MD5 digest: b6c4006030da70fd1a1692c0124ac18f
Full Signature:
MIICajCCAcugAwIBAgIJAKKFzP6qpdgWMAoGCCqGSM49BAMEMGUxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOL0ExDDAKBgNVBAcTA04vQTEPMA0GA1UEChMGQVhQLk9TMQ8wDQYDVQQLEwZBWFAuT1MxGDAWBgNVBAMTD0FQSyBTSUdOSU5HIEtFWTAeFw0yNTAxMDgxNzAxMjNaFw0zNTAxMDYxNzAxMjNaMGUxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOL0ExDDAKBgNVBAcTA04vQTEPMA0GA1UEChMGQVhQLk9TMQ8wDQYDVQQLEwZBWFAuT1MxGDAWBgNVBAMTD0FQSyBTSUdOSU5HIEtFWTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAOhJfTYKhxYAs391+zrDZVKxtMnKkDvoFQfUHrl/HLCwK+c9X9kSHXaG7DcEzBPtEc7105CUyhk9YtN5GNCphnSqAa7fG5v4nngeTOFplZUq295outNAjT0NlWFWuA+3ei3JV43AzQGimH5EQ/UD9CpFemLoAQpUlOMU5tr5BWzAyUsqoyEwHzAdBgNVHQ4EFgQUpv+2CCk3423DCp5oTA5bZmxYX9owCgYIKoZIzj0EAwQDgYwAMIGIAkIBrPhoYHbix9fESALKBCQvW2Z4RULHJs7CwFSEc71rNN30QWHA5W8sRkfUgZJzFGcFQmhf8nHUISMWpRFm0kdszkUCQgHhWodLT3JmqiR1Eg5fU5oo4cdijJft50slR1u7gTiTamY5SmuohJvLO51LhmgnRN1uCE69yYloqvfvoIoaSBdmyA==
Apps using this signature are:
- AXP.OS WebView
- AXP.OS PhoneSky
- OpenEUICC
- LoveLaceAV
AXP.OS provides OTA (Over The Air) updates which are signed with the releasekey to allow verifying the integrity of an update. That means:
- when the Updater downloaded a new build it verifies the signature and fails if it is compromised
- when the AXP.OS recovery loads an update via ADB sideload it verifies the signature and fails if it is compromised
The use of a custom recovery is strongly discouraged as it cannot (will not) verify the build signature.
If you are forced to use a custom recovery:
- download the update zip & the corresponding sha512 file
- verify the signature manually: with the update_verifier
- alternative: verify the sha512 hash of the zip with the one from the Automation channel (not of the download website)