replicant/vendor_replicant, branch replicant-6.0 Patches not merged yet, used for building and testing them Add support for distributions without mvn-debian 2021-08-09T23:46:36+00:00 Denis 'GNUtoo' Carikli GNUtoo@cyberdimension.org 2021-07-18T23:13:00+00:00 bfe859b89594264b59bdceb3e7cc3b724e68d8f2 Trisquel 9 doesn't have mvn-debian but has mvn instead. Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 
Trisquel 9 doesn't have mvn-debian but has mvn instead.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
build-toolchain: enable to build the C/C++ toolchain on more distributions 2021-08-09T17:04:19+00:00 Denis 'GNUtoo' Carikli GNUtoo@cyberdimension.org 2021-07-18T23:04:32+00:00 25f51c7f983266f3062ea0dba72ee7f6895163c0 Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
build-toolchain: cosmetic fixes 2021-08-09T17:03:46+00:00 Denis 'GNUtoo' Carikli GNUtoo@cyberdimension.org 2021-08-05T13:33:08+00:00 ad27eaf3f0861a34e8dfd929a8114b8fd034414d This uses spaces everywhere instead of mixing spaces and tabs. In addition it also fix a line over 80 characters. This should contain no functional changes. Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> Reviewed-by: Fil Lupin <fillupin@protonmail.com> 
This uses spaces everywhere instead of mixing spaces and tabs.

In addition it also fix a line over 80 characters.

This should contain no functional changes.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Reviewed-by: Fil Lupin <fillupin@protonmail.com>
Don't run the key migration at each boot 2021-04-26T13:25:26+00:00 Denis 'GNUtoo' Carikli GNUtoo@cyberdimension.org 2021-04-26T13:21:11+00:00 3478ada718ac042ce9c0c261851645175066a11f As we got report of data corruption in the package.xml file with that script, it is better not to run it at each boot. The corruption probably comes from having the device being shut down precisely between the 5 seconds in which it modifies the packages.xml files, which leaves a temporary file and an empty packages.xml. To keep the code simple, we will do two releases: one that doesn't run this script automatically and one that does. This way users will install the one that does the migration and once done they will install the final image. Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 
As we got report of data corruption in the package.xml file with
that script, it is better not to run it at each boot.

The corruption probably comes from having the device being shut
down precisely between the 5 seconds in which it modifies the
packages.xml files, which leaves a temporary file and an empty
packages.xml.

To keep the code simple, we will do two releases: one that doesn't
run this script automatically and one that does.

This way users will install the one that does the migration and once
done they will install the final image.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Ship shutdown.sh and reboot.sh 2021-03-12T14:53:27+00:00 Denis 'GNUtoo' Carikli GNUtoo@cyberdimension.org 2021-03-12T14:53:27+00:00 59246bbb10ecd21c66b69f78e3a095912f17a47d These scripts enable users to cleanly shutdown and reboot the device from the shell. Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 
These scripts enable users to cleanly shutdown and reboot the
device from the shell.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Ship the wipe utility on all the devices 2021-03-08T13:33:01+00:00 Denis 'GNUtoo' Carikli GNUtoo@cyberdimension.org 2021-03-08T13:12:49+00:00 70389ac7679961a6a04d34538a7129bd2a347c56 Wipe comes from wipe 2.3.1 from http://wipe.sourceforge.net/. As there doesn't seem to be any git repository, the tarball was imported in git the subsequent commit added support for Android. Wipe is strongly needed as without it it's not very convenient to securely delete files from the internal storage. Without wipe, one would have to port GNU/Linux to the device if it's not already done, or reuse the Replicant 11 kernel otherwise, and run a distribution like Parabola to securely erase files. Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 
Wipe comes from wipe 2.3.1 from http://wipe.sourceforge.net/.

As there doesn't seem to be any git repository, the tarball
was imported in git the subsequent commit added support for
Android.

Wipe is strongly needed as without it it's not very convenient
to securely delete files from the internal storage.

Without wipe, one would have to port GNU/Linux to the device
if it's not already done, or reuse the Replicant 11 kernel
otherwise, and run a distribution like Parabola to securely
erase files.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Remove ambientsdk 2020-11-25T13:55:08+00:00 belgin belginstirbu@hotmail.com 2020-11-24T11:03:10+00:00 9cb33a90fea843cd285ebdcf0ca8d8e073f93c71 Signed-off-by: belgin <belginstirbu@hotmail.com> Acked-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 
Signed-off-by: belgin <belginstirbu@hotmail.com>
Acked-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Update key-migration.sh to sync with vendor_replicant-scripts 2020-10-11T20:14:29+00:00 Denis 'GNUtoo' Carikli GNUtoo@cyberdimension.org 2020-10-11T17:51:54+00:00 b8697cf55e65c143897b10b0e580ec00a57b0d6b The gen_key_migration_script script was modified to generate a key-migration.sh script that can run multiple times. In addition, prints were added to inform the user of the script success of failure. So we need to update the generated script as well for the changes to be taken into account. This modified version was generated with the following command in the top directory of the replicant-6.0 source code: $ ./vendor/replicant-scripts/images/gen_key_migration_script/gen_key_migration_script.py \ gen-script \ vendor/replicant/prebuilt/common/bin/key-migration.sh \ vendor/replicant-data/distros/releases/certificates/ \ vendor/replicant-security/ Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 
The gen_key_migration_script script was modified to generate a
key-migration.sh script that can run multiple times.

In addition, prints were added to inform the user of the script
success of failure.

So we need to update the generated script as well for the changes
to be taken into account.

This modified version was generated with the following command in
the top directory of the replicant-6.0 source code:
    $ ./vendor/replicant-scripts/images/gen_key_migration_script/gen_key_migration_script.py \
      gen-script \
      vendor/replicant/prebuilt/common/bin/key-migration.sh \
      vendor/replicant-data/distros/releases/certificates/ \
      vendor/replicant-security/

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Recovery: delete otasigcheck.sh 2020-10-09T16:47:46+00:00 Denis 'GNUtoo' Carikli GNUtoo@cyberdimension.org 2020-08-23T01:57:19+00:00 47ee59d0d8f4833e3074cd265a1cba3da54ce22e The calls to otasigcheck.sh have already been removed in the build repository with the following commit: 57b200aeb4af062d2c7714de34fafe9b5d6e201c 57b200aeb Recovery: Remove check for matching application signatures with their data So it is not needed anymore. Removing otasigcheck.sh also makes sure that it's not possible to call it anymore. Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 
The calls to otasigcheck.sh have already been removed in the build
repository with the following commit:
    57b200aeb4af062d2c7714de34fafe9b5d6e201c
    57b200aeb Recovery: Remove check for matching application signatures with their data

So it is not needed anymore. Removing otasigcheck.sh also makes sure that
it's not possible to call it anymore.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Add generated startup script to update the package signatures 2020-10-09T16:47:40+00:00 Gabriele M moto.falcon.git@gmail.com 2017-01-13T16:03:45+00:00 d1b6b455ebb8a5c7adbb0303bae3319aa88a668d The applications built from Replicant are signed with a key that is generated during the build procedure The issue is that the data of an application becomes inaccessible to it if the application signature change. This affects all the applications built during and signed during the build of Replicant images, which includes all system applications. This is why, during the installation of a new Replicant version, the otasigcheck.sh is run: it verifies if the application signatures expected by the applications data match the signatures of the new applications that are part of the new Replicant image being installed. Without this check, users installing a new Replicant minor version (like Replicant 6.0 0004) and keeping the data from the previous minor version (like Replicant 6.0 0003) with a key that change will make at least some system applications like the launcher crash as they will not be able to access their data. If the check detects an incompatibility, on a Galaxy SIII (GT-I9300), we end up the installation aborting and the following message being displayed on the screen: detected filesystem ext4 for /dev/block/mmcblk0p12 Can't install this package on top of incompatible data. Ples se try another package or run a factory test E:Failed to install /sideload/package.zip E:Please take note of all the above lines for reports. This design has several issues: - You cannot upgrade between Replicant minor versions if the keys signing applications shipped in the new version changed. This is really problematic as to upgrade, users need to delete all their application data and restart creating them from scratch which is very time consuming. With frequent updates that would becomes too much time consuming to do. - It is also very fragile: if the data partition is encrypted, otasigcheck.sh cannot do the check, and the check is skipped completely, with the consequences explained before (the system applications end up not being able to access their data). To fix that: - This patch adds a new script (key-migration.sh) to this repository. It takes care of migrating the applications data to the new keys during the first boot (so after the data partition will have been mounted). - The call to otasigcheck.sh during the installation of new Replicant versions will be removed in the build repository. - otasigcheck.sh will be removed in this repository in the next commit. - A python script generating this key-migration.sh script will be added to the vendor_replicant-scripts repository to enable users and developers to generate a key-migration.sh script with the keys they want. This should make downgrade easier as the key-migration.sh could also be run manually in the recovery and make the migration to self-built images much easier. Also, the otasigcheck.sh script has already been removed in LineageOS 17.1 by the following commit in vendor/lineage: commit 95621f3c73b94a87ca4528748535bb114ae1613f Author: Michael Bestas <mkbestas@lineageos.org> Date: Sat Aug 4 17:46:35 2018 +0300 Revert "ota: Validate any installed data's signature against our own" * otasigcheck doesn't work on encrypted devices and makes the zip installation fail since oreo. * The build part of this was never ported to oreo. This reverts commit aff5e54c4ef5fec7e67e830f83ee64424005d07c. Change-Id: I411f33c1db64844091c1692ef4706ae541925d4f This key-migration.sh script has been generated by the following command in the Replicant source code directory: $ ./vendor/replicant-scripts/images/gen_key_migration_script/gen_key_migration_script.py \ gen-script \ vendor/replicant/prebuilt/common/bin/key-migration.sh \ vendor/replicant-data/distros/releases/certificates/ \ vendor/replicant-security/ This work is based on the following commit from the android_vendor_cm repository[1]: 2f7c7decc Add startup script to update the package signatures commit 2f7c7decc4cd5b42f044a7841a74468e4cacd694 (refs/changes/27/156327/3) Author: Gabriele M <moto.falcon.git@gmail.com> Date: Fri Jan 13 17:03:45 2017 +0100 Add startup script to update the package signatures This allows to jump straight to LineageOS without wiping userdata first. Change-Id: I208bcada9380cbd69f3bec6c64e3c9e0eb1104c8 [1] https://github.com/LineageOS/android_vendor_cm.git Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 
The applications built from Replicant are signed with a key that is
generated during the build procedure The issue is that the data of an
application becomes inaccessible to it if the application signature change.
This affects all the applications built during and signed during the build
of Replicant images, which includes all system applications.

This is why, during the installation of a new Replicant version, the
otasigcheck.sh is run: it verifies if the application signatures expected
by the applications data match the signatures of the new applications
that are part of the new Replicant image being installed.

Without this check, users installing a new Replicant minor version (like
Replicant 6.0 0004) and keeping the data from the previous minor version
(like Replicant 6.0 0003) with a key that change will make at least some
system applications like the launcher crash as they will not be able to
access their data.

If the check detects an incompatibility, on a Galaxy SIII (GT-I9300), we
end up the installation aborting and the following message being displayed
on the screen:
  detected filesystem ext4 for /dev/block/mmcblk0p12
  Can't install this package on top of incompatible data. Ples
  se try another package or run a factory test
  E:Failed to install /sideload/package.zip
  E:Please take note of all the above lines for reports.

This design has several issues:
- You cannot upgrade between Replicant minor versions if the keys signing
  applications shipped in the new version changed. This is really
  problematic as to upgrade, users need to delete all their application
  data and restart creating them from scratch which is very time consuming.
  With frequent updates that would becomes too much time consuming to do.
- It is also very fragile: if the data partition is encrypted,
  otasigcheck.sh cannot do the check, and the check is skipped completely,
  with the consequences explained before (the system applications end up
  not being able to access their data).

To fix that:
- This patch adds a new script (key-migration.sh) to this repository.
  It takes care of migrating the applications data to the new keys during
  the first boot (so after the data partition will have been mounted).
- The call to otasigcheck.sh during the installation of new Replicant
  versions will be removed in the build repository.
- otasigcheck.sh will be removed in this repository in the next commit.
- A python script generating this key-migration.sh script will be added
  to the vendor_replicant-scripts repository to enable users and developers
  to generate a key-migration.sh script with the keys they want. This
  should make downgrade easier as the key-migration.sh could also be run
  manually in the recovery and make the migration to self-built images much
  easier.

Also, the otasigcheck.sh script has already been removed in LineageOS 17.1
by the following commit in vendor/lineage:
  commit 95621f3c73b94a87ca4528748535bb114ae1613f
  Author: Michael Bestas <mkbestas@lineageos.org>
  Date:   Sat Aug 4 17:46:35 2018 +0300

      Revert "ota: Validate any installed data's signature against our own"

      * otasigcheck doesn't work on encrypted devices and makes
        the zip installation fail since oreo.
      * The build part of this was never ported to oreo.

      This reverts commit aff5e54c4ef5fec7e67e830f83ee64424005d07c.

      Change-Id: I411f33c1db64844091c1692ef4706ae541925d4f

This key-migration.sh script has been generated by the following command in
the Replicant source code directory:
    $ ./vendor/replicant-scripts/images/gen_key_migration_script/gen_key_migration_script.py \
      gen-script \
      vendor/replicant/prebuilt/common/bin/key-migration.sh \
      vendor/replicant-data/distros/releases/certificates/ \
      vendor/replicant-security/

This work is based on the following commit from the android_vendor_cm
repository[1]:
    2f7c7decc Add startup script to update the package signatures
    commit 2f7c7decc4cd5b42f044a7841a74468e4cacd694 (refs/changes/27/156327/3)
    Author: Gabriele M <moto.falcon.git@gmail.com>
    Date:   Fri Jan 13 17:03:45 2017 +0100

        Add startup script to update the package signatures

        This allows to jump straight to LineageOS without wiping
        userdata first.

        Change-Id: I208bcada9380cbd69f3bec6c64e3c9e0eb1104c8

[1] https://github.com/LineageOS/android_vendor_cm.git

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>