just wanted to ask a quick question on why there are apparently no signature files and corresponding keys available for the different ROMs out there? There’s the checksums, but they don’t provide a proof of authenticity. Particularly for a privacy focused OS like /e/OS this seems like a strange choice.
Is it not necessary and I’m too paranoid or are there complications with the many ROM-Maintainers out there having to sign all this? Am I overlooking something completely?
It would be great to have an answer on this, as I couldn’t find anything on this forum or the wider internet.
Best Regards and thank you all for your amazing work!
the zips are not separately signed again on the images host - but you can verify the build key that the zip is internally signed with. /e/ should release the pubkey to their releasekey centrally. Then you could obtain that through TLS from a different host than images.ecloud.global and/or ask a handful existing users to post the pubkey. That protects against a compromise of the images host, but obviously not the build system.
I will need some time to try all this and see if it works for me, but at least from what I can make out at first glance your answer is more than I could have asked for! Again, many thanks, will probably close the topic soon
/e/OS release pubkey can also be found in the downloadable .zip under /your-eOS-ROM/META-INF/com/android/otacert if you don’t have a phone running /e/OS already.
I generated the checksum using this file and got the same hash value as @tcecyk
I don’t know if this thread is the right place for it, but I’d welcome people sharing their hash values here so others can compare/verify theirs. Still, it would be great to have a central resource for image signatures.
A signed target-files zip can be converted into a signed OTA update zip
In my current understanding of that docs section, the releasekey verifies the whole ota zip via a signature in a file footer. It does as fallback (if no other key was supplied for this) also sign individual apks in the image before being bundled into the ota zip - but that is already secondary.
to clarify, that is the (sha256) fingerprint of the rsa pubkey just for comparison, not an image-file checksum. Verifying the signed zip file contents happens in update_verifier.py at rsa_pkcs1v15_verify() where “message” is the zip-file minus the signature byte length