| 8 Nov 2025 |
 pentane ⭔ | also, I'm a bit confused. shouldn't sign_target_files_apks have complained about the missing gmscompat_lib key (see https://github.com/GrapheneOS/script/blob/16/generate-keys#L16?) | 22:27:02 |
| pentane ⭔ | * also, I'm a bit confused. shouldn't sign_target_files_apks have complained about the missing gmscompat_lib key (see https://github.com/GrapheneOS/script/blob/16/generate-keys#L16)? | 22:27:05 |
| pentane ⭔ | * also, I'm a bit confused. shouldn't sign_target_files_apks have complained about the missing gmscompat_lib key in your case (see https://github.com/GrapheneOS/script/blob/16/generate-keys#L16)? | 22:27:13 |
| 9 Nov 2025 |
 puffnfresh |
Error getting public key: b'Could not open file or uri for loading private key of public key from packages/modules/Virtualization/build/apex/com.android.virt.pem: No such file or directory\n'
| 04:41:44 |
| puffnfresh | at the time, I hadn't specified that as an extra-apk, and specifying it solved the problem - so I think it's opposite to what you're saying | 04:42:20 |
| puffnfresh | I actually generated my keys from the official scripts, so I do have that | 07:22:11 |
| puffnfresh | and that's why the PR includes support for 4096 keys - that's what I'm using | 07:22:28 |
| puffnfresh | I haven't tested Robotnix's key generation since my first attempt at signing, so gmscompat_lib being missing would probably be a problem | 07:23:25 |
| pentane ⭔ | Okay it seems like we're talking about two different things | 09:53:58 |
| pentane ⭔ | this error message refers to the payload private key of the APEX in question | 09:57:12 |
| pentane ⭔ | the test-keys variant of that payload private key is present in the GrapheneOS source tree (see https://github.com/GrapheneOS/platform_packages_modules_Virtualization/tree/16/build/apex), but not in the otaTools derivation which releaseScript cds into | 09:59:45 |
| pentane ⭔ | okay, scratch that. so I investigated this, and it seems like the otatools AOSP build target (i.e. otatools.zip in the config.build.android version) erroneously doesn't include the APEX payload test keys | 10:05:23 |
| pentane ⭔ | so that was the reason for why you were getting these error messages | 10:05:33 |
| pentane ⭔ | I don't see rn though why there should be a guarantee that this happens consistently (for instance, looking into the otaTools derivation, the APEX container test keys are there, and likewise for the normal APK signing keys) | 10:06:47 |
| pentane ⭔ | if you're interested - I'm currently experimenting with patching sign_target_files_apks to throw error messages if one of the test keys hasn't been replaced. Don't think we should do that in production though, I'd probably write a small validation program in Rust that takes META/apkcerts.txt and META/apexkeys.txt, and the signTargetFilesArgs from target_files.zip as an option to check whether the args exhaustively cover all the keys | 10:09:06 |
| pentane ⭔ | FWIW here's my current patch for https://github.com/GrapheneOS/platform_build: | 10:10:03 |
| pentane ⭔ | Download debug.patch | 10:10:36 |
| pentane ⭔ | * I don't see rn though why there should be a guarantee that this happens consistently (for instance, looking into the otaTools derivation, the APEX *container* test keys *are* there, and likewise for the normal APK signing keys) | 10:11:17 |
| pentane ⭔ | Oh and we should also write a better abstraction for the non-standard keys, it kinda pisses me off that we need to specify them separately in keysToGenerate and in keyMappings in modules/signing.nix | 10:22:18 |
| pentane ⭔ | https://github.com/nix-community/robotnix/commit/75cf4f78b6fbb3a402a22b848ec967880ddf56f6
https://github.com/nix-community/robotnix/commit/fc99ff973428ef1c2e2bff427ce403d01a5f2b19 | 22:01:43 |
| puffnfresh | compiling 2025-11-09 now and will test signing using that branch | 22:17:11 |
| pentane ⭔ | (already tested 2025-11-09 on a tegu with the official signing script btw, I'll merge as soon as upstream pushed 2025110800 to stable) | 22:18:03 |
| pentane ⭔ | can you save the output of the signing script and post it here? | 22:18:48 |
| 10 Nov 2025 |
| puffnfresh | I used the upstream GrapheneOS generation scripts, which use the same keys for everything | 02:19:24 |
| puffnfresh | so I don't have things like com.android.tzdata.pem | 02:19:52 |
| puffnfresh | so I used the Robotnix generation scripts, generated those, then copied keys/shiba from my keys into the directory | 02:21:15 |
| puffnfresh | so it's a bit of a mess, I guess - but the scripts run fine after doing that | 02:21:28 |
