I'm looking at building GrapheneOS with possibly some slight modifications (preinstalled/system apps, custom signing key, possibly change the bootloader animation, etc) and I just had a few questions.

  1. What should I look to procuring for the signature part to be done correctly? Should I get an HSM, or will any YubiKey work to do this to the same extent?
  2. Are there any guides to basic modifications for stuff such as adding apps preinstalled to be available OOTB?
  3. Is there a way to modify the "Apps" app to accomplish this instead, so the apps aren't actively installed, but could be? Possibly disabled but preloaded?

Some examples of things I thought of trying out, mostly for experience:

  1. Preinstall Bitwarden so signing in can be done immediately, then accounts can be pulled to sign into other apps, like Google Play (if applicable).
  2. Install Aurora Services (maybe similar to how Google Play Services is loaded disabled?), so that Aurora Store can update apps in the background just like Google Play does.
  3. Add a couple other apps to the "Apps" app, like Cloudflare's WARP app.
  4. A way to "update" said Apps app as well, since this may change down the road. Not sure if that's going to require a lot more finesse since it's already part of GrapheneOS, or if it's just a matter of adding a few bundles and changing a link somewhere.

I should also add I don't plan on removing anything that's already in GrapheneOS outside of the core OS signing keys for my own. Obviously I want this all to be signed and locked as I can do with stock GrapheneOS. If I can even somehow get the boot warning about a custom ROM to hide as needed, that would be amazing.

I'm not hugely familiar with building apps/roms, so I'm just looking for some good pointers with this sort of lower level customization to get me started. Any assistance would be greatly appreciated!

    To my knowledge, the custom rom boot message shouldn't be removed, if possible at all (don't think so).

    My question is: do you REALLY think it's worth it? All that work EACH time an update comes?

      Dubz Arguably use a spare device in case it bricks.

        alex_herrero
        This isn't for my primary device, and yes I do. It might get annoying, but it's something I'm interested in doing and learning more of android. Gotta start somewhere.

          Dubz What should I look to procuring for the signature part to be done correctly? Should I get an HSM, or will any YubiKey work to do this to the same extent?

          https://grapheneos.org/build#generating-release-signing-keys

          Dubz Is there a way to modify the "Apps" app to accomplish this instead, so the apps aren't actively installed, but could be? Possibly disabled but preloaded?

          Should be possible to set up your own Apps app repository, but you'd have to modify the Apps app's source code to change the server address, then learn how to set up your own repository by looking at https://github.com/GrapheneOS/apps.grapheneos.org

          • Dubz replied to this.

                unwat

                unwat https://grapheneos.org/build#generating-release-signing-keys

                I saw this, but wasn't specific on using YubiKeys or anything. I'm sure I could potentially figure it out, but wasn't sure if I needed an HSM one, and figured I'd ask before dropping hundreds on one.

                unwat Should be possible to set up your own Apps app repository, but you'd have to modify the Apps app's source code to change the server address, then learn how to set up your own repository by looking at https://github.com/GrapheneOS/apps.grapheneos.org

                Yeah, that's what I was afraid of. I guess I'll just have to start with the personal signed one and go from there.

                      If you have such skills and spare time, perhaps consider supporting the existing project?

                        Thyself8991 If you have such skills and spare time, perhaps consider supporting the existing project?

                        I know they aren't looking to add these in and anything I would do would be minor. Either way, I want to at least try this so I'm just looking for more insights.

                        Thinking further, in addition to not having any additional options for saving signing keys, such as on a YubiKey, I don't recall seeing any instructions for rotating out a signing key after so long, or any other information on that regards. I'm still new to this so just looking for some more tips if anyone has anything useful sharing.

                            Dubz I don't recall seeing any instructions for rotating out a signing key after so long, or any other information on that regards.

                            I think what GrapheneOS does is to use one signing key per device type (e.g., one for Pixel 6, one for 6 Pro, one for 6a), which is placed during the initial install and hoped to remain constant until GrapheneOS stops supporting the device. It is possible to imagine a protocol for rotating signing keys, but note that code to install the new key would need to be signed using the old key, or else devices with the old key would reject it.

                            But I am not a GrapheneOS expert, nor an expert on Pixel verified boot.

                              Dubz

                              You can read through this page for more info about signing builds https://source.android.com/docs/core/ota/sign_builds. I don't see anything about key rotation. Maybe you can't?

                              https://source.android.com has a lot of docs for Android development. Like, for example, I just typed "preinstalled" in the search and it comes up with this page, which I think would be useful for you.

                              tbh I have been wanting to try playing with my own builds myself, but I can't since my computer isn't supported. However, I've found some of the documentation to be kind of lacking in some places. I think to be successful at this you'd have to read through a lot of code and configuration stuff and learn through a lot of trial and error.

                                At this point key rotation and storage is the only concern I have for starting on this. I want to take the highest secure route I can possibly take. Saving signing keys on a storage drive is not secure, hence the inquiry for using something like a YubiKry, either a regular one or HSM. I understand I would need to sign the new key with the old one, which then implies I'd need at least two of these to do it properly (so the old can sign the new without being overwritten).

                                These limitations and such are my main personal blocker for jumping into this. I want to start but I want to do it right. I'm genuinely surprised GrapheneOS doesn't mention this in the documentation.