Verifying a (custom) ROM signature

Question

Android ROMs and also Android custom ROMs are typically cryptographically signed.


Most users will only recognize this if they try to install a ROM and the signature verification on-device fails.


For verifying authenticity of a ROM it can makes sense to verify the signature offline, before installing the ROM and e.g. compare the used signature certificate if it is the one expected, e.g. if the ROM is a genuine ROM build by LineageOS.


What command do you have to execute for verifying the signature of a ROM (e.g. if you have the ZIP file) on a PC?


Robert | Sources

Answer

In order to verify the signature of a ROM ZIP file on a PC, two things are required:



  • The public key from the ROM creator (can be extracted from /system/etc/security/otacerts.zip if the creator is the same e.g. in case of updating stock ROM).

  • A tool to extract the certificate from the comment (footer) of the ZIP file and verify its signature key against the ROM developer's public key.


There are multiple tools available to perform the second step, including the one officially provided by LineageOS:


update_verifier.py <pubkey> /path/to/zip_file

DETAILS


I had a vague notion that custom ROM ZIP files contain the standard JAR signatures block (which is also the case with APK signature scheme v1). So the standard jarsigner -verify command could be used to verify the integrity of a self-signed JAR/ZIP file (that it hasn't been tempered with since created), though not the authenticity of the source (which requires the root certificate, as is the case with AVB).


But a deeper look into TWRP source code indicates that it's using the same signature verification mechanism used in stock recovery for OTA ZIP file verification (source code here) i.e. verifying the authority of the ZIP file's creator against prebuilt public keys stored in /res/keys/. signapk.jar is used at the time of compilation to sign both APKs (apksigner is called) and OTA ZIP files. The same tool adds the "signed by SignApk" message you noticed in ZIP file.


So the /res/keys/ directory in recovery must contain the public keys from all ROM creators in order to verify their ZIP files, which doesn't seem practical. Stock recovery contains only OEM's public key(s) while custom recovery most probably contains test keys from the official SDK. And that's why we often face the infamous "ZIP signature verification failed" message for ROMs and other flashable ZIP files.


On non-A/B devices the OTA package (if not manually downloaded by the user) is also verified before booting to recovery mode. In this case prebuilt keys from otacerts.zip are used for verification (source code here). But with A/B updates recovery is not involved at all (/res/keys/ no more exists since Android 10) and package might not be verified even once (if doing "streaming updates", some more details in this answer).


So keeping these points in view, the verification mechanism used in recovery doesn't seem to be of much importance. In order to verify the authenticity of a ROM, better would be to simply do a checksum verification of the downloaded file if possible, like LineageOS provides SHA256 hashes with their downloadable ZIP files.


Irfan Latif | Sources

Q & A

Can the Verizon Samsung Galaxy S9+ also run T-Mobile?
can i unlock my phone with voice command?
Samsung tablet gt-p5100 Firmware Upgrade encountred an error
How can I create a rule in Microsoft Outlook for Android?
What information is available to an application?
How do I copy the subject of an email in Google Inbox on Android?
Internet fast when sharing via hotspot or tethering but slow on the device itself
Is there a different fastboot command for the Google Pixel and the oem-off-mode command?
Does Roehsoft RAM Expander need to be running?
MIUI newest version displays annoying message popups
What is the location of the DCIM folder in the internal storage on a Xiaomi Redmi 4X?
How to save images / videos from a Xiaomi Redmi 4X that keeps rebooting in every 30 seconds
Why does every app need full access to everything on my phone?
Anyone knows the second icon?
Why is there no app from Google like LastPass?
Control android devices remotely
Select my own ringtone on Samsung s7 but only Sound picker is available
How to fix Dead or Stuck pixels on my android phone using PC?
Will restoring WhatsApp chats also restore my WhatsApp number
Emoticons/emojis not being sent via SMS

Topics

2D Engines   3D Engines   9-Patch   Action Bars   Activities   ADB   Advertisements   Analytics   Animations   ANR   AOP   API   APK   APT   Architecture   Audio   Autocomplete   Background Processing   Backward Compatibility   Badges   Bar Codes   Benchmarking   Bitmaps   Bluetooth   Blur Effects   Bread Crumbs   BRMS   Browser Extensions   Build Systems   Bundles   Buttons   Caching   Camera   Canvas   Cards   Carousels   Changelog   Checkboxes   Cloud Storages   Color Analysis   Color Pickers   Colors   Comet/Push   Compass Sensors   Conferences   Content Providers   Continuous Integration   Crash Reports   Credit Cards   Credits   CSV   Curl/Flip   Data Binding   Data Generators   Data Structures   Database   Database Browsers   Date &   Debugging   Decompilers   Deep Links   Dependency Injections   Design   Design Patterns   Dex   Dialogs   Distributed Computing   Distribution Platforms   Download Managers   Drawables   Emoji   Emulators   EPUB   Equalizers &   Event Buses   Exception Handling   Face Recognition   Feedback &   File System   File/Directory   Fingerprint   Floating Action   Fonts   Forms   Fragments   FRP   FSM   Functional Programming   Gamepads   Games   Geocaching   Gestures   GIF   Glow Pad   Gradle Plugins   Graphics   Grid Views   Highlighting   HTML   HTTP Mocking   Icons   IDE   IDE Plugins   Image Croppers   Image Loaders   Image Pickers   Image Processing   Image Views   Instrumentation   Intents   Job Schedulers   JSON   Keyboard   Kotlin   Layouts   Library Demos   List View   List Views   Localization   Location   Lock Patterns   Logcat   Logging   Mails   Maps   Markdown   Mathematics   Maven Plugins   MBaaS   Media   Menus   Messaging   MIME   Mobile Web   Native Image   Navigation   NDK   Networking   NFC   NoSQL   Number Pickers   OAuth   Object Mocking   OCR Engines   OpenGL   ORM   Other Pickers   Parallax List   Parcelables   Particle Systems   Password Inputs   PDF   Permissions   Physics Engines   Platforms   Plugin Frameworks   Preferences   Progress Indicators   ProGuard   Properties   Protocol Buffer   Pull To   Purchases   Push/Pull   QR Codes   Quick Return   Radio Buttons   Range Bars   Ratings   Recycler Views   Resources   REST   Ripple Effects   RSS   Screenshots   Scripting   Scroll Views   SDK   Search Inputs   Security   Sensors   Services   Showcase Views   Signatures   Sliding Panels   Snackbars   SOAP   Social Networks   Spannable   Spinners   Splash Screens   SSH   Static Analysis   Status Bars   Styling   SVG   System   Tags   Task Managers   TDD &   Template Engines   Testing   Testing Tools   Text Formatting   Text Views   Text Watchers   Text-to   Toasts   Toolkits For   Tools   Tooltips   Trainings   TV   Twitter   Updaters   USB   User Stories   Utils   Validation   Video   View Adapters   View Pagers   Views   Watch Face   Wearable Data   Wearables   Weather   Web Tools   Web Views   WebRTC   WebSockets   Wheel Widgets   Wi-Fi   Widgets   Windows   Wizards   XML   XMPP   YAML   ZIP Codes