The signing process must take place in a secure environment where access to private keys is restricted. Usually, a development server generates the artifacts, which are then signed externally in a secure environment.

The required artifacts to generate signed images are:

1. The private keys to sign for release.

• The AVB keys to sign partitions.

• The OTA and APK keys for applications in the firmware and the generation of the OTA package.

2. The ccimx8mmdvk-target_files-<build_id>.zip generated by a development server to be signed.

3. The tools to sign the target_files zip and generate the release artifacts.

Digi Embedded for Android sources include these signing tools; some are scripts, and others are code files to compile. To use them, you must install the sources and build your project so you get the required binaries from its code.

Follow these steps to externally sign and create the release artifacts in a secure environment:

1. Setup the secure server:

1. Set up your environment and install the sources. If you have not already done so, see Set up your development workstation and Install Digi Embedded for Android.

2. Change to the directory where the source code is installed.

$cd dea-11.0-r2 3. Initialize the build environment:$ source build/envsetup.sh
4. Select a ConnectCore 8M Mini target to build:

• ccimx8mmdvk-user creates images with no root access, suitable for production.

• ccimx8mmdvk-userdebug like user images but with root access and debug capability.

For production, use user build type:

$lunch ccimx8mmdvk-user ============================================ PLATFORM_VERSION_CODENAME=REL PLATFORM_VERSION=11 TARGET_PRODUCT=ccimx8mmdvk TARGET_BUILD_VARIANT=user TARGET_BUILD_TYPE=release TARGET_ARCH=arm64 TARGET_ARCH_VARIANT=armv8-a TARGET_CPU_VARIANT=cortex-a53 TARGET_2ND_ARCH=arm TARGET_2ND_ARCH_VARIANT=armv7-a-neon TARGET_2ND_CPU_VARIANT=cortex-a9 HOST_ARCH=x86_64 HOST_2ND_ARCH=x86 HOST_OS=linux HOST_OS_EXTRA=Linux-4.15.0-142-generic-x86_64-Ubuntu-18.04.5-LTS HOST_CROSS_OS=windows HOST_CROSS_ARCH=x86 HOST_CROSS_2ND_ARCH=x86_64 HOST_BUILD_TYPE=release BUILD_ID=RP1A.201005.004 OUT_DIR=out PRODUCT_SOONG_NAMESPACES=device/generic/goldfish device/generic/goldfish-opengl external/mesa3d vendor/nxp-opensource/imx/power hardware/google/pixel vendor/partner_gms hardware/google/camera vendor/nxp-opensource/imx/camera ============================================$
2. Copy the resources from the development server to the secure server where the private release keys are also accessible. See 3. Build your images to learn how to get these files.

For example, you can copy them to your home directory, /home/<user>. In this case, you have:

$ls -l ~ drwxrwxr-x 10 user user 4096 may 22 11:31 android-certs -rw-rw-r-- 1 user user 1161132523 may 22 11:35 ccimx8mmdvk-target_files-<build_id>.zip 3. Sign the target_files zip with your private keys:$ sign_target_files_apks \
-o \
-d ~/android-certs \
--avb_vbmeta_key ~/android-certs/custom_rsa4096_private.pem \
--avb_vbmeta_algorithm SHA256_RSA4096 \
--avb_boot_key ~/android-certs/custom_rsa2048_private.pem \
--avb_boot_algorithm SHA256_RSA2048 \
~/ccimx8mmdvk-target_files-<build_id>.zip \
~/signed-target_files.zip
4. With the target_files already signed you can:

$img_from_target_files \ --additional 'IMAGES/product.img:product.img' \ --additional 'IMAGES/super_empty.img:super_empty.img' \ --additional 'IMAGES/system.img:system.img' \ --additional 'IMAGES/system_ext.img:system_ext.img' \ --additional 'IMAGES/vendor.img:vendor.img' \ ~/signed-target_files.zip \ ~/signed-img.zip • Create a signed update package: • A full update package:$ ota_from_target_files \
-k ~/android-certs/releasekey \
~/signed-target-files.zip \
~/full-ota-update.zip
• An incremental update package:

$ota_from_target_files \ -k ~/android-certs/releasekey \ -i ~/A-signed-target_files.zip ~/B-signed-target_files.zip \ ~/A_to_B-incremental-ota-update.zip For more information, see Create a signed OTA package. • Generate the OTA configuration file: To execute it you must add the release tools to the PYTHONPATH:$ PYTHONPATH=$ANDROID_BUILD_TOP/build/make/tools/releasetools:$PYTHONPATH \
bootable/recovery/updater_sample/tools/gen_update_config.py \
--ab_install_type=STREAMING \
--ab_force_switch_slot \
full-ota-update.zip  \
full-ota-update.json \
http://foo.bar/ota-builds/full-ota-update.zip