The sign process must take place in a secure environment where the access to the private key is restricted. Usually, a development server generates the artifacts but are signed externally in a secure environment. The required artifacts to sign externally are:

Android sources includes these signing tools, some are scripts and others code files to compile. To use them, you have to install the sources and build your project, so you get the required binaries from its code.

Follow these steps to externally sign and create the release artifacts in a secure environment:

1. Setup the secure server:

1. Set up your environment and install the sources. If you have not already done so, see Set up your development workstation and Install Digi Embedded for Android.

2. Change to the directory where the source code is installed.

$cd dea-11.0-r2 3. Initialize the build environment:$ source build/envsetup.sh
4. Select a ConnectCore 8M Mini target to build:

• ccimx8mmdvk-user creates images with no root access, suitable for production.

• ccimx8mmdvk-userdebug like user images but with root access and debug capability.

 For more information about build types, go to Choosing a target.

For production, use user build type:

$lunch ccimx8mmdvk-user ============================================ PLATFORM_VERSION_CODENAME=REL PLATFORM_VERSION=11 TARGET_PRODUCT=ccimx8mmdvk TARGET_BUILD_VARIANT=user TARGET_BUILD_TYPE=release TARGET_ARCH=arm64 TARGET_ARCH_VARIANT=armv8-a TARGET_CPU_VARIANT=cortex-a53 TARGET_2ND_ARCH=arm TARGET_2ND_ARCH_VARIANT=armv7-a-neon TARGET_2ND_CPU_VARIANT=cortex-a9 HOST_ARCH=x86_64 HOST_2ND_ARCH=x86 HOST_OS=linux HOST_OS_EXTRA=Linux-4.15.0-142-generic-x86_64-Ubuntu-18.04.5-LTS HOST_CROSS_OS=windows HOST_CROSS_ARCH=x86 HOST_CROSS_2ND_ARCH=x86_64 HOST_BUILD_TYPE=release BUILD_ID=RP1A.201005.004 OUT_DIR=out PRODUCT_SOONG_NAMESPACES=device/generic/goldfish device/generic/goldfish-opengl external/mesa3d vendor/nxp-opensource/imx/power hardware/google/pixel vendor/partner_gms hardware/google/camera vendor/nxp-opensource/imx/camera ============================================$
2. Copy the ccimx8mmdvk-target_files-<build_id>.zip file to the secure server where the private release keys are also accessible. See Build your custom distribution to know how to get these files.

For example, you can copy it to the home directory. In this case, you have:

$ls -l ~ drwxrwxr-x 10 user user 4096 may 22 11:31 android-certs -rw-rw-r-- 1 user user 1161132523 may 22 11:35 ccimx8mmdvk-target_files-<build_id>.zip 3. Sign the target_files zip with your private key:$ sign_target_files_apks \
-o \
-d ~/android-certs \
~/ccimx8mmdvk-target_files-<build_id>.zip \
~/signed-target_files.zip
4. With the target_files already signed you can:

• Generate your raw images:

$img_from_target_files \ --additional 'IMAGES/product.img:product.img' \ --additional 'IMAGES/super_empty.img:super_empty.img' \ --additional 'IMAGES/system.img:system.img' \ --additional 'IMAGES/system_ext.img:system_ext.img' \ --additional 'IMAGES/vendor.img:vendor.img' \ ~/signed-target_files.zip \ ~/signed-img.zip • Create a signed update package: • A full update package:$ ota_from_target_files \
-k ~/android-certs/releasekey \
~/signed-target-files.zip \
~/full-ota-update.zip
• An incremental update package:

$ota_from_target_files \ -k ~/android-certs/releasekey \ -i ~/A-signed-target_files.zip ~/B-signed-target_files.zip \ ~/A_to_B-incremental-ota-update.zip • Generate the OTA configuration file: To execute it you must add the release tools to the PYTHONPATH:$ PYTHONPATH=$ANDROID_BUILD_TOP/build/make/tools/releasetools:$PYTHONPATH \
bootable/recovery/updater_sample/tools/gen_update_config.py \
--ab_install_type=STREAMING \
--ab_force_switch_slot \
full-ota-update.zip  \
full-ota-update.json \
http://foo.bar/ota-builds/full-ota-update.zip
 For more information, see https://source.android.com/devices/tech/ota/sign_builds.