[Feature Request] Signing Key size configurable by ENV

[OdinVex]

docker-lineage-cicd/src/make_key

Line 55 in 6d09a4a

( openssl genrsa -f4 2048 | tee "${one}" > "${two}" ) &

LineageOS states at https://wiki.lineageos.org/signing_builds:

LineageOS 19.1 and above will also require APEXes be re-signed. Each APEX file is signed with two keys: one for the mini file system image within an APEX and the other for the entire APEX. In this case, only SHA256_RSA4096 keys are allowed, default is SHA256_RSA2048. So you need to make a copy of ./development/tools/make_key file and edit to use SHA256_RSA4096.

Would it be agreeable that this could be configured via an ENV such as "MAKEKEY_SIZE=4096" or something? It might be a nice option for people that build with different requirements using generated keys each build. If not, that's alright.

[petefoth]

As our README states

The project is therefore - in the opinion of the currently active maintainers - essentially 'feature complete' and in 'maintenance' mode.

This feature isn't something that we need to do for our builds, and we don't have time or resources to work on 'nice to have (maybe)' features like this. If you want to try, you can fork our repo, make and test the changes you want, If they work for you and you can show that they won't break our main goal of delivering monthly builds for ~200 devices, then you can submit a Pull Request. We would then decide whether the benefits of including your changes would outweigh any possible risks.

Sorry but I don't think so. Our builds are signed using the LineageOS tools and build scripts. You have quoted from their wiki which states the requirements for keys. Sorry of this isn't what you wanted to hear

[OdinVex]

This feature isn't something that we need to do for our builds

I've already edited my entrypoint to include a sed to change it to 4096 so the issue is resolved for me. As for LOS 19.1+ requiring it would those builds be alright then? Maybe I'm misunderstanding LOS documentation. I was quite tired when I read it.

[petefoth]

I guess I read the same LineageOS documentation, and I raised #646 as a response, so that I didn't lose sight of the issue.

Since then we have been making builds which run and which update OTA without any problems, so my estimate is that we don't need to do anything more than we already do. I should probably close #646: either we don't need to sign APEX files during the build, or we are already doing so, presumably through using LOS's build scripts and / or makefiles.

So unless I am wrong (which is definitely possible 😄) I don't think we need this feature

[OdinVex]

LOS's scripts sign at 4096, I just happen to recall that from earlier but it does that with test keys I saw. I might be mistaken. Are there any devices that don't support 4096?

[petefoth]

Sorry - I have no idea

[petefoth]

More than a month with no activity. I'll close this in the next few days:. As I said above

This feature isn't something that we need to do for our builds, and we don't have time or resources to work on 'nice to have (maybe)' features like this.

[OdinVex]

To anyone coming across this that needs it, remove your keys and temporarily run with entrypoint: /bin/sh -c "sed -i 's|2048|4096|g' /root/make_key && /root/init.sh". (Edit: Or make your own, see init.sh for details on how and where.)