Hi all, I hope this question hasn't been asked before; I'm sorry if it has. I think I understand the basics here but want to be sure. I'm pretty experienced with this stuff but not with Android/Pixel ecosystem at all, and I'm planning to make the jump from iOS.
If I build Graphene and sign it with my own keys and then lock the bootloader, my understanding is that I would be able to install any other OS onto that phone without unlocking the bootloader and tossing the user data keys.
So, hypothetically, I install Graphene, self-signed, and for some reason desperately need to access some protected area of the filesystem. In that case, I could build a userdebug version of Graphene, sign that, flash it, get my file via ADB, and reinstall the user build (again, self-signed). Or, theoretically, I could change something in the source myself or even install a completely different Android fork and keep the bootloader locked the whole time (I get that there would be other issues with changing the OS; I'm just trying to get my head around how the bootloader thinks about the world).
If I do this, then I won't be able to install OTA updates traditionally, correct? I'd always need to build, sign, and sideload?
Also, in the case of self-signing, would Graphene pass its Auditor app check, if the build were unchanged, or would the different signing keys trip that?
Also, I get that if I lose (or lose control of) my own keys, it's game-over for security (former case) or my user data (latter case).
Thanks very much, and again apologies if this is a nooby question or answered elsewhere.