Building Copperhead OS for Pixel XL

building-copperhead-pixel_XL.md

Notes for building Copperhead OS for the Pixel XL. This was done on Ubuntu 14.04.5 LTS, using GNU Make 3.81 (3.81-8.2ubuntu3) and Python 2.7.6 (2.7.6-8ubuntu0.2), as recommended on https://source.android.com/setup/requirements#software-requirements. All below instructions are specific to the Pixel XL (marlin) and come from https://copperhead.co/android/docs/building.

Install build dependencies

sudo apt-get update 
sudo apt-get install git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z-dev ccache libgl1-mesa-dev libxml2-utils xsltproc unzip

sudo add-apt-repository ppa:git-core/ppa
sudo apt-get update
sudo apt-get install git

sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt-get update
sudo apt-get install openjdk-8-jdk

sudo apt-get install fuseext2 # It is not advised to use this for execute-all.sh down below (see comments on https://redd.it/7one92), but I wasn't sure what to do, as debugfs wasn't working.
sudo apt-get install liblz4-tool

Set up

build_tag='OPM1.171019.012.2018.01.03.02' # this is the value in the Version column on https://copperhead.co/android/downloads
device='marlin' # Pixel XL
build_id='OPM1.171019.012' # https://developers.google.com/android/images#marlin

Download source

mkdir copperheados-${build_tag}
cd copperheados-${build_tag}
repo init -u https://github.com/CopperheadOS/platform_manifest.git -b refs/tags/${build_tag}

gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
gpg --recv-keys 4340D13570EF945E83810964E8AD3F819AB10E78
cd .repo/manifests
git verify-tag --raw $(git describe)
cd ../..

repo sync -j10

repo forall -c 'git verify-tag --raw $(git describe)'

Setting up the build environment

source script/copperhead.sh
choosecombo release aosp_${device} user

# Edit vendor/android-prepare-vendor/execute-all.sh to use fuse instead of debugfs
vendor/android-prepare-vendor/execute-all.sh -d marlin -b ${build_id} -o vendor/android-prepare-vendor
mkdir -p vendor/google_devices
rm -rf vendor/google_devices/${device}

lower_build_id=$(echo $build_id | tr '[:upper:]' '[:lower:]')
mv vendor/android-prepare-vendor/marlin/${lower_build_id}/vendor/google_devices/marlin vendor/google_devices

Generating release signing keys

mkdir -p keys/${device}
cd keys/${device}
../../development/tools/make_key releasekey '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/[email protected]'
../../development/tools/make_key platform '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/[email protected]'
../../development/tools/make_key shared '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/[email protected]'
../../development/tools/make_key media '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/[email protected]'
../../development/tools/make_key verity '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/[email protected]'
cd ../..

make -j10 generate_verity_key
out/host/linux-x86/bin/generate_verity_key -convert keys/${device}/verity.x509.pem keys/${device}/verity_key

openssl x509 -outform der -in keys/${device}/verity.x509.pem -out kernel/google/${device}/verity_user.der.x509

Put the platform and releasekey into ClientWhitelist.java so that apps from F-Droid can be installed (https://www.reddit.com/r/CopperheadOS/comments/69tf3z/fdroid_important_apps_not_working_because_of_no/)

release_fingerprint=$(cat keys/marlin/releasekey.x509.pem | openssl x509  -fingerprint -sha256 -noout | tr -d ":" | sed 's/.*=//')
platform_fingerprint=$(cat keys/marlin/platform.x509.pem | openssl x509  -fingerprint -sha256 -noout | tr -d ":" | sed 's/.*=//')
client_whitelist="packages/apps/F-Droid/privileged-extension/app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java"

# Replace existing marlin fingerprints
sed -i "s/6425C9DE6219056CCE62F73E7AD9F92C940B83BAC1D5516ABEBCE1D38F85E4CF/${release_fingerprint}/g" $client_whitelist
sed -i "s/CC1E06EAD3E9CA2C4E46073172E92BAD4AFB02D4D21EDDC3F4D9A50C2FBD639D/${platform_fingerprint}/g" $client_whitelist

Building

rm -r out
make target-files-package -j10

#Generating signed factory images and full update packages
make -j10 brillo_update_payload
script/release.sh marlin

Rebuilding

rm -r * # Delete everything but the .repo dir
# set the necessary variables in *Set up* and restart

I keep getting the following error after running 'repo sync -j10'

Fetching projects:  99% (583/588)  remote: Not Found
fatal: unable to access 'https://bitbucket.org/copperhead-security/platform_external_chromium/': GnuTLS recv error (-110): The TLS connection was non-properly terminated.
error: Cannot fetch platform_external_chromium

error: Exited sync due to fetch errors

edit:
https://copperhead.co/android/docs/building -
'Before building CopperheadOS, you need to build Chromium for the WebView and optionally the standalone browser app. CopperheadOS uses a hardened fork of Chromium for these. It needs to be rebuilt when Chromium is updated or the CopperheadOS chromium_patches repository changes.'
.
.
.
.
'Note that we don’t have our own public repository at the moment because Chromium is too large to host it on GitHub or Bitbucket where we are hosting the other repositories.'

I have ordered a used Nexus 6P angler. I know it is not the newest and support has ended, but it will still be safer and not tracking every bluetooth nor wlan connection around me.

Can I build on windows with Atom or ist it easier with linux (kubuntu)?
If I type the stuff above, changed to match my phone, how much do I have to download?