Smartphone targets:
Arch Linux, Debian buster and Ubuntu 20.04 LTS are the officially supported operating systems for building GrapheneOS.
@@ -281,9 +290,9 @@The signify tool (with the proper naming) is also required for signing
factory images zips.
Since this is syncing the sources for the entire operating system and application layer, it will use a lot of bandwidth and storage space.
@@ -292,9 +301,9 @@ for developing a feature. It's easier to port between stable tags that are known to work properly than dealing with a moving target. -The 10 branch is the only active development branch for GrapheneOS
development. Older branches are no longer maintained. It is currently used for all
@@ -311,9 +320,9 @@ repo sync -j32
repo sync command again to continue from where it was interrupted. It
handles connection failures robustly and you shouldn't start over from scratch.
Pick a specific release for a device from the releases page and download the source tree. Note that some devices use different Android Open Source @@ -344,9 +353,9 @@ cd ../..
Note that the repo command itself takes care of updating itself and uses gpg to verify by default.
-To update the source tree, run the repo init command again to select
the branch or tag and then run repo sync -j32 again. You may need to add
@@ -356,9 +365,9 @@ cd ../..
need to run repo init again to continue down the same branch since
GrapheneOS only provides a stable history via tags.
The kernel needs to be built in advance, since it uses a separate build system.
@@ -395,9 +404,9 @@ git submodule update --init and thekernel/google/crosshatch repository is for the Pixel 3, Pixel 3
XL, Pixel 3a and Pixel 3a XL.
- The build has to be done from bash as envsetup.sh is not compatible with other shells like zsh.
@@ -426,9 +435,9 @@ git submodule update --initexport OFFICIAL_BUILD=true-
To reproduce a past build, you need to export BUILD_DATETIME_FROM_FILE
and BUILD_NUMBER to the values set for the past build. These can be
@@ -449,9 +458,9 @@ git submodule update --init
to the internet, or you will be performing a denial of service attack on our official
update server.
This section does not apply to devices where no extra vendor files are required (HiKey, HiKey 960, emulator, generic targets).
@@ -473,9 +482,9 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/Note that android-prepare-vendor is non-deterministic unless a timestamp parameter is
passed with --timestamp (seconds since Epoch).
Incremental builds (i.e. starting from the old build) usually work for development and are the normal way to develop changes. However, there are cases where changes are @@ -496,9 +505,9 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/
For an emulator build, always use the development build approach below.
-The normal production build process involves building a target files package to be resigned with secure release keys and then converted into factory images and/or an @@ -520,9 +529,9 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/ lot more sense to test it with proper signing keys rather than the default public test keys.
-Keys need to be generated for resigning completed builds from the publicly available test keys. The keys must then be reused for subsequent builds and cannot be @@ -573,9 +582,9 @@ cd ../.. same scripts along with the expectation of it using the same passphrase as the other keys.
-You can (re-)encrypt your signing keys using the encrypt_keys script,
which will prompt for the old passphrase (if any) and new passphrase:
GrapheneOS disables updatable APEX components for the officially supported devices and targets inheriting from the mainline target, so APEX signing keys are not needed @@ -611,9 +620,9 @@ cd ../..
For now, consult the upstream documentation on generating these keys. It will be covered here in the future.
-Build the tool needed to generate A/B updates:
@@ -631,9 +640,9 @@ cd ../.. incremental updates from those to the most recent signedtarget_files
zip.
- Incremental updates shipping only the changes between two versions can be generated as a much more efficient way of shipping updates than a full update package containing