AOSP building: replace my own keys with default test-keys

Question

I am building AOSP and I want to sign the build with my own key. There is some official doc about this process here.

But I wonder if I can simply turn around all of that

Answer 1

First, make sure the build has re-signed the apps. You may have to do a make clean to get rid of the previous artifacts.

Also check the Android.mk files for your bundled system apps (like in packages/apps or wherever you may have put them). Where you see this line:

LOCAL_CERTIFICATE := PRESIGNED

replace it with this instead:

LOCAL_CERTIFICATE := platform

This will let the build re-sign your system apps with the key they'll be checked against.

While using the same key for shared, media, testkey, platform will work (in the sense that your system should boot and function), it removes a layer of isolation from apps built with those keys. In particular, non-system apps that are normally signed with the testkey will now be signed with the same key as platform. This will give them access to system app data and code and also give them heightened privileges (like not having to ask the user for confirmation to use the camera or access their files). I don't think that's recommended.

Answer 2

One suggestion:

If you don't want to keep your private keys in source control together with the aosp code, you can define a path to them in your device mk:

PRODUCT_DEFAULT_DEV_CERTIFICATE :=  /home/my_user/release_keys_folder/releasekey
PRODUCT_VERITY_SIGNING_KEY := /home/my_user/release_keys_folder/verity