I'm looking at building GrapheneOS with possibly some slight modifications (preinstalled/system apps, custom signing key, possibly change the bootloader animation, etc) and I just had a few questions.
- What should I look to procuring for the signature part to be done correctly? Should I get an HSM, or will any YubiKey work to do this to the same extent?
- Are there any guides to basic modifications for stuff such as adding apps preinstalled to be available OOTB?
- Is there a way to modify the "Apps" app to accomplish this instead, so the apps aren't actively installed, but could be? Possibly disabled but preloaded?
Some examples of things I thought of trying out, mostly for experience:
- Preinstall Bitwarden so signing in can be done immediately, then accounts can be pulled to sign into other apps, like Google Play (if applicable).
- Install Aurora Services (maybe similar to how Google Play Services is loaded disabled?), so that Aurora Store can update apps in the background just like Google Play does.
- Add a couple other apps to the "Apps" app, like Cloudflare's WARP app.
- A way to "update" said Apps app as well, since this may change down the road. Not sure if that's going to require a lot more finesse since it's already part of GrapheneOS, or if it's just a matter of adding a few bundles and changing a link somewhere.
I should also add I don't plan on removing anything that's already in GrapheneOS outside of the core OS signing keys for my own. Obviously I want this all to be signed and locked as I can do with stock GrapheneOS. If I can even somehow get the boot warning about a custom ROM to hide as needed, that would be amazing.
I'm not hugely familiar with building apps/roms, so I'm just looking for some good pointers with this sort of lower level customization to get me started. Any assistance would be greatly appreciated!