In my previous posts, I explained how to create a properly signed OTA package that will pass recovery's signature check, and how to verify the signed OTA package before apply it. Here, we'll discuss, when building an production AOSP platform, how to sign the platform and recovery image properly to match those signature checks.

In following discussions, we assume you have a key pairs: platform.x509.pem and, which you'll use to sign the OTA package. Suppose the keys are stored in a directory with path $KEYS. I'm using Nexus 5 (hammerhead) as an example below but the practice should be easy to apply to other devices.

Platform OTA Certificates

When verify a OTA package's signature using Android's RecoverySystem.verifyPackage utility, that function actually checks against the certificates stored in /system/etc/security/ So if you want to push OTA updates later, you'll have to generate the proper certificates when building the platform.

You can accomplish this by specifying PRODUCT_OTA_PUBLIC_KEYS in your device's Makefile (device/lge/hammerhead/ in my case).


Then the building process will store this location in META/otakeys.txt in unsigned zip file. When you sign the target files using sign_target_files_apks tool, it will generate the proper ota certificates based on the otakeys provided. If PRODUCT_OTA_PUBLIC_KEYS is not defined, it will just use the release key, which is probably not what you used to sign the OTA packages.

Recovery Signature Verification

When you programmingly apply a OTA package using RecoverySystem.installPackage function, it will boot the device into recovery mode and let the recovery do the update. The recovery will first check the signature of the OTA package. So when building the platform, you'll also need to specify the extra recovery keys by defining PRODUCT_EXTRA_RECOVERY_KEYS.


After setting PRODUCT_OTA_PUBLIC_KEYS and PRODUCT_EXTRA_RECOVERY_KEYS, you should be able to pass all signature verifications and successfully apply the OTA update.