| 27 Jan 2025 |
 pentane (DECT CYPT/2978) | You can find the script here: https://github.com/LineageOS/scripts/blob/main/key-migration/migration.sh | 20:57:10 |
 atemu12 | Oops, I had the wrong link | 20:57:10 |
| atemu12 | No wait, I didn't | 20:57:44 |
| atemu12 | ^^' | 20:57:51 |
| pentane (DECT CYPT/2978) | It's the same but slightly different anchors | 20:57:55 |
 autra | Thanks! Is it compulsory even if I don't plan to relock the bootloader and I'm fine with the warning at boot? | 20:58:04 |
| pentane (DECT CYPT/2978) | It's needed if you want to keep your data | 20:58:16 |
| pentane (DECT CYPT/2978) | If you're okay with wiping your phone, then you don't need to migrate keys | 20:58:28 |
| atemu12 | Signing isn't cumpulsory though; I don't sign my builds for instance and just use test keys | 20:58:32 |
| autra | ok so if I understand correctly, either I keep my signed build but follow the migration instruction, or I rebuild with signing disabled. | 21:00:21 |
| atemu12 | No, you need to migrate either way | 21:00:34 |
| atemu12 | Signing cannot be disabled I think | 21:00:45 |
| pentane (DECT CYPT/2978) | Wait a sec, there seems to be some confusion as to what "signing" means here: | 21:01:10 |
| atemu12 | It falls back to test keys which are effectively unsigned because the private key is public but technically still a signature | 21:01:12 |
| pentane (DECT CYPT/2978) | When you build a LineageOS image, the system image is cryptographically signed. There are three options for the keys the image can be signed with:
- the official LineageOS keys (
release-keys). We don't have access to them, so the only images signed with these keys are the official LineageOS builds.
- the test keys (
test-keys). These keys are publicly available, and Robotnix uses them by default.
- your own release keys.
| 21:03:24 |
| pentane (DECT CYPT/2978) | When you run LineageOS and install apps that save stuff to your phone, that data is somehow "coupled" to the keys your LineageOS install was signed with (don't ask me about the details though). If you try to boot a LineageOS install with an image that was signed with different build keys than the ones your user data was coupled to, it will complain and not boot. | 21:04:52 |
| pentane (DECT CYPT/2978) | * When you run LineageOS and install apps that save stuff to your phone, that data is somehow "coupled" to the keys your LineageOS install was signed with (don't ask me about the details though). If you try to boot a LineageOS install with an image that was signed with different build keys than the ones your user data was coupled to, it will complain and not boot (I believe). | 21:05:58 |
| pentane (DECT CYPT/2978) | In that case, you have two options:
- you can wipe your userdata partition and start over with the new keys
- or you can migrate your userdata from the keys of your old install to your new install
| 21:06:15 |
| pentane (DECT CYPT/2978) | in your case, you probably had an official LineageOS build install first, and now your userdata is coupled to the official LineageOS release-keys. If you want to install a robotnix-built LOS image with the test-keys, you need to run the migration script to change your keys from release-keys to test-keys. | 21:08:10 |
| pentane (DECT CYPT/2978) | What I did was:
- enable rooted debugging; run
adb root
- copy
migration.sh to the phone
- run
stop inside adb shell to shut down all user-facing system components
- run
./migration.sh unofficial inside the adb shell
- quit the ADB shell and run
adb reboot recovery
- sideload the Robotnix-built OTA zip
| 21:10:13 |
| pentane (DECT CYPT/2978) | Man, we should write a guide about this some day :D | 21:10:47 |
| atemu12 | Yes, PRs welcome :) | 21:10:59 |
| autra | thanks cyclopentane ⭔ and Atemu it's really clear! | 21:11:18 |
| pentane (DECT CYPT/2978) | happy to hear that :) | 21:11:30 |
| atemu12 | :) | 21:11:36 |
| autra | I can have a go at documenting that. Good first contrib ;-) | 21:11:48 |
| autra | is it related to the avb keys in step 4 of https://docs.robotnix.org/installation.html ? | 21:12:03 |
| pentane (DECT CYPT/2978) | isn't AVB disabled on Lineage by default? | 21:12:55 |
| pentane (DECT CYPT/2978) |
The following instructions are specific to Pixel phones using either the Vanilla or GrapheneOS flavors. For LineageOS, please refer to upstream device-specific documentation on how to install LineageOS builds on your device.
Ah yes, seems to be that way
| 21:13:06 |
| atemu12 | No that's for when you've signed your own build with your own key and want to enable verified boot | 21:13:19 |
