update signing / delta examples

This commit is contained in:
Daniel Micay 2022-05-08 18:45:28 -04:00
parent 417dc08dcb
commit 6e719f3f52

View File

@ -527,9 +527,9 @@ vendor/adevtool/bin/run ota-firmware vendor/adevtool/config/DEVICE.yml -f vendor
<pre>source script/envsetup.sh</pre>
<p>Select the desired build target (<code>redfin</code> is the Pixel 5):</p>
<p>Select the desired build target (<code>raven</code> is the Pixel 6 Pro):</p>
<pre>choosecombo release redfin user</pre>
<pre>choosecombo release raven user</pre>
<p>For a development build, you may want to replace <code>user</code> with
<code>userdebug</code> in order to have better debugging support. Production builds
@ -645,11 +645,11 @@ vendor/adevtool/bin/run ota-firmware vendor/adevtool/config/DEVICE.yml -f vendor
<p>The encryption passphrase for all the keys generated for a device needs to
match for compatibility with the GrapheneOS scripts.</p>
<p>To generate keys for redfin (you should use unique keys per device
<p>To generate keys for raven (you should use unique keys per device
variant):</p>
<pre>mkdir -p keys/redfin
cd keys/redfin
<pre>mkdir -p keys/raven
cd keys/raven
../../development/tools/make_key releasekey '/CN=GrapheneOS/'
../../development/tools/make_key platform '/CN=GrapheneOS/'
../../development/tools/make_key shared '/CN=GrapheneOS/'
@ -664,7 +664,7 @@ cd ../..</pre>
<p>Generate a signify key for signing factory images:</p>
<pre>signify -G -n -p keys/redfin/factory.pub -s keys/redfin/factory.sec</pre>
<pre>signify -G -n -p keys/raven/factory.pub -s keys/raven/factory.sec</pre>
<p>Remove the <code>-n</code> switch to set a passphrase. The <code>signify</code>
tool doesn't provide a way to change the passphrase without generating a new key, so
@ -679,7 +679,7 @@ cd ../..</pre>
<p>You can (re-)encrypt your signing keys using the <code>encrypt_keys</code> script,
which will prompt for the old passphrase (if any) and new passphrase:</p>
<pre>script/encrypt_keys.sh keys/redfin</pre>
<pre>script/encrypt_keys.sh keys/raven</pre>
<p>The <code>script/decrypt_keys.sh</code> script can be used to remove encryption,
which is not recommended. The script exists primarily for internal usage to decrypt
@ -723,10 +723,10 @@ cd ../..</pre>
<p>Generate a signed release build with the release.sh script:</p>
<pre>script/release.sh redfin</pre>
<pre>script/release.sh raven</pre>
<p>The factory images and update package will be in
<code>out/release-redfin-$BUILD_NUMBER</code>. The update zip performs a full OS
<code>out/release-raven-$BUILD_NUMBER</code>. The update zip performs a full OS
installation so it can be used to update from any previous version. More efficient
incremental updates are used for official over-the-air GrapheneOS updates and can be
generated by keeping around past signed <code>target_files</code> zips and generating
@ -769,34 +769,16 @@ cd ../..</pre>
delta updates by passing the device, source version build number and target version
build number. For example:</p>
<pre>script/generate_delta.sh redfin 2021102503 2021102613</pre>
<pre>script/generate_delta.sh raven 2021102503 2021102613</pre>
<p>The script assumes that the releases are organized in the following directory
structure:</p>
<pre>releases
├── 2021102503
│   └── release-redfin-2021102503
│   ├── otatools
│   ├── redfin-beta
│   ├── redfin-factory-2021102503.zip
│   ├── redfin-factory-2021102503.zip.sig
│   ├── redfin-img-2021102503.zip
│   ├── redfin-ota_update-2021102503.zip
│   ├── redfin-stable
│   ├── redfin-target_files-2021102503.zip
│   └── redfin-testing
└── 2021102613
└── release-redfin-2021102613
├── otatools
├── redfin-beta
├── redfin-factory-2021102613.zip
├── redfin-factory-2021102613.zip.sig
├── redfin-img-2021102613.zip
├── redfin-ota_update-2021102613.zip
├── redfin-stable
├── redfin-target_files-2021102613.zip
└── redfin-testing</pre>
├── 2022050700
│   └── release-raven-2022050700
└── 2022050800
└── release-raven-2022050800</pre>
<p>Incremental updates are uploaded alongside the update packages and update metadata
on the static web server used as an update server. The update client will