The sign process must take place in a secure environment where the access to the private key is restricted. Usually, a development server generates the artifacts but are signed externally in a secure environment. The required artifacts to sign externally are:

• The `ccimx8xsbcpro-target_files-<build_id>.zip` generated by a development server. See Build your custom distribution.

• The private keys to sign for release. See Generate your release keys.

• The tools to sign the `target_files` zip and generate the release artifacts.

Android sources includes these signing tools, some are scripts and others code files to compile. To use them, you have to install the sources and build your project, so you get the required binaries from its code.

Follow these steps to externally sign and create the release artifacts in a secure environment:

1. Setup the secure server:

1. Set up your environment and install the sources. If you have not already done so, see Set up your development workstation and Install Digi Embedded for Android.

2. Change to the directory where the source code is installed.

``$cd dea-11.0-r2`` 3. Initialize the build environment: ``$ source build/envsetup.sh``
4. Select a ConnectCore 8X target to build:

• `ccimx8xsbcpro-user` creates images with no root access, suitable for production.

• `ccimx8xsbcpro-userdebug` like user images but with root access and debug capability.

 For more information about build types, go to Choosing a target.

For production, use `user` build type:

``````$lunch ccimx8xsbcpro-user ============================================ PLATFORM_VERSION_CODENAME=REL PLATFORM_VERSION=11 TARGET_PRODUCT=ccimx8xsbcpro TARGET_BUILD_VARIANT=user TARGET_BUILD_TYPE=release TARGET_ARCH=arm64 TARGET_ARCH_VARIANT=armv8-a TARGET_CPU_VARIANT=cortex-a53 TARGET_2ND_ARCH=arm TARGET_2ND_ARCH_VARIANT=armv7-a-neon TARGET_2ND_CPU_VARIANT=cortex-a9 HOST_ARCH=x86_64 HOST_2ND_ARCH=x86 HOST_OS=linux HOST_OS_EXTRA=Linux-4.15.0-142-generic-x86_64-Ubuntu-18.04.5-LTS HOST_CROSS_OS=windows HOST_CROSS_ARCH=x86 HOST_CROSS_2ND_ARCH=x86_64 HOST_BUILD_TYPE=release BUILD_ID=RP1A.201005.004 OUT_DIR=out PRODUCT_SOONG_NAMESPACES=device/generic/goldfish device/generic/goldfish-opengl external/mesa3d vendor/nxp-opensource/imx/power hardware/google/pixel vendor/partner_gms hardware/google/camera vendor/nxp-opensource/imx/camera ============================================$ ``````
2. Copy the `ccimx8xsbcpro-target_files-<build_id>.zip` file to the secure server where the private release keys are also accessible. See Build your custom distribution to know how to get these files.

For example, you can copy it to the home directory. In this case, you have:

``````$ls -l ~ drwxrwxr-x 10 user user 4096 may 22 11:31 android-certs -rw-rw-r-- 1 user user 1161132523 may 22 11:35 ccimx8xsbcpro-target_files-<build_id>.zip`````` 3. Sign the `target_files` zip with your private key: ``````$ sign_target_files_apks \
-o \
-d ~/android-certs \
~/ccimx8xsbcpro-target_files-<build_id>.zip \
~/signed-target_files.zip``````
4. With the `target_files` already signed you can:

• Generate your raw images:

``````$img_from_target_files \ --additional 'IMAGES/product.img:product.img' \ --additional 'IMAGES/super_empty.img:super_empty.img' \ --additional 'IMAGES/system.img:system.img' \ --additional 'IMAGES/system_ext.img:system_ext.img' \ --additional 'IMAGES/vendor.img:vendor.img' \ ~/signed-target_files.zip \ ~/signed-img.zip`````` • Create a signed update package: • A full update package: ``````$ ota_from_target_files \
-k ~/android-certs/releasekey \
~/signed-target-files.zip \
~/full-ota-update.zip``````
• An incremental update package:

``````$ota_from_target_files \ -k ~/android-certs/releasekey \ -i ~/A-signed-target_files.zip ~/B-signed-target_files.zip \ ~/A_to_B-incremental-ota-update.zip`````` • Generate the OTA configuration file: To execute it you must add the release tools to the `PYTHONPATH`: ``````$ PYTHONPATH=$ANDROID_BUILD_TOP/build/make/tools/releasetools:$PYTHONPATH \
bootable/recovery/updater_sample/tools/gen_update_config.py \
--ab_install_type=STREAMING \
--ab_force_switch_slot \
full-ota-update.zip  \
full-ota-update.json \
http://foo.bar/ota-builds/full-ota-update.zip``````