In my previous posts, I explained how to create a properly signed OTA package that will pass recovery's signature check, and how to verify the signed OTA package before apply it. Here, we'll discuss, when building an production AOSP platform, how to sign the platform and recovery image properly to match those signature checks.
In following discussions, we assume you have a key pairs:
platform.pk, which you'll use to sign the OTA package. Suppose the keys
are stored in a directory with path
$KEYS. I'm using Nexus 5 (hammerhead) as
an example below but the practice should be easy to apply to other devices.
Platform OTA Certificates
When verify a OTA package's signature using Android's
RecoverySystem.verifyPackage utility, that function actually checks against the
certificates stored in
/system/etc/security/otacerts.zip. So if you want to
push OTA updates later, you'll have to generate the proper certificates when building
You can accomplish this by specifying
PRODUCT_OTA_PUBLIC_KEYS in your device's
device/lge/hammerhead/full_hammerhead.mk in my case).
PRODUCT_OTA_PUBLIC_KEYS := $KEYS
Then the building process will store this location in
unsigned zip file. When you sign the target files using
tool, it will generate the proper ota certificates based on the otakeys
PRODUCT_OTA_PUBLIC_KEYS is not defined, it will just use the
release key, which is probably not what you used to sign the OTA packages.
Recovery Signature Verification
When you programmingly apply a OTA package using
function, it will boot the device into recovery mode and let the recovery do the
update. The recovery will first check the signature of the OTA package. So when
building the platform, you'll also need to specify the extra recovery keys by
PRODUCT_EXTRA_RECOVERY_KEYS := $KEYS
should be able to pass all signature verifications and successfully apply the