The avb_pkmd.bin file isn't needed for generating a signed release but
rather to set the public key used by the device to enforce verified boot.
For Android 10, there's a new networkstack key and you need to
+ generate one to avoid using the test key. For example, with crosshatch (needs to be
+ done for each set of device keys):
cd keys/crosshatch +../../development/tools/make_key networkstack '/CN=GrapheneOS/'+ +
GrapheneOS disables updatable APEX components for the officially supported
+ devices and targets inheriting from the mainline target. GrapheneOS uses the
+ TARGET_FLATTEN_APEX := true format to include APEX components as part of
+ the base OS without supporting out-of-band updates. If you don't disable updatable
+ APEX packages, you need to generate an APK and AVB key for each APEX component and
+ extend the GrapheneOS release.sh script to pass the appropriate parameters to replace
+ the APK and AVB keys for each APEX component. APEX components that are not flattened
+ are a signed APK (used for verify updates) with an embedded filesystem using verified
+ boot with the AVB key. Each APEX package must have a unique set of keys. GrapheneOS
+ has no use for these out-of-band updates at this time and flattening APEX components
+ avoids needing a bunch of extra keys and complexity.