Merge branch 'master' into lineage-wip

.github/workflows/instantiate.yml

@@ -7,5 +7,5 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - uses: cachix/install-nix-action@v7
+    - uses: cachix/install-nix-action@v9
     - run: nix-instantiate ./release.nix --show-trace

README.md

@@ -1,7 +1,7 @@
-# robotnix - Building Android (AOSP) with Nix
+# robotnix - Build Android (AOSP) with Nix
 
 This project enables using [Nix](https://nixos.org/nix/) to build Android ROMs, currently targeting Pixel 1-4(a) (XL) devices.
-Robotnix uses a NixOS-style module system for customizing various aspects of the build.
+Robotnix uses a NixOS-style module system to customize various aspects of the build.
 
 Some optional modules include:
  - Vanilla Android 10 AOSP support
@@ -44,13 +44,10 @@ A user can use the `--cores` option for `nix-build` to set the number of cores t
 use, which can also be useful to decrease parallelism in case memory usage of
 certain build steps is too large.
 
-A full Android 10 build takes about 4 hours on my quad-core i7-3770 with 16GB of memory.
-The included `vanilla` and `grapheneos` flavors also build `chromium` (or `vanadium`) from source for use as the system webview.
-This takes approximately 6 hours on my i7-3770.
+A full Android 10 build with chromium webview takes approximately 10 hours on my quad-core i7-3770 with 16GB of memory.
+AOSP takes approximately 4 hours of that, while webview takes approximately 6 hours.
 I have recently upgraded to a 3970x Threadripper with 32-cores.
-This can build chromium+android in under an hour.
-
-
+This can build chromium+android in about an hour.
 
 ## Configuration and Build Options
 A configuration file should be created for anything more complicated, including creating signed builds.
@@ -89,12 +86,12 @@ See `release.nix` for the set of configurations with this minimal build testing.
 This check is run using `nix-build ./release.nix -A check`.
 As each build takes approximately 4 hours--I only build marlin and crosshatch builds for myself.
 At some point, I would love to set up a build farm and publish build products on s3 or [cachix](https://cachix.org).
-This would allow an end-user to simply sign their own releases without building the entire AOSP themselves.
+This would allow an end-user to simply sign releases using their own keys without building the entire AOSP themselves.
 
-As of 2020-05-17, `target_files`, `signed_target_files`, `img`, and `ota` files have all been verified to be bit-for-bit reproducible for `crosshatch` and `marlin`.
+As of 2020-05-17, `target_files`, `signed_target_files`, `img`, and `ota` files have all been verified to be bit-for-bit reproducible for `crosshatch` and `marlin` using the `vanilla` flavor.
 Automated periodic testing of this is still desired.
 
-One option being investigated is to set up multiple remote builders to produce unsigned target files for a number of device and flavor combinations.
+One option being investigated is to have multiple independent remote builders produce unsigned target files for a number of device and flavor combinations.
 An end-user could then verify that the builders produced the same unsigned target files, and finish the process by signing the target files and producing their own `img` and `ota` files.
 
 However, there are a few places where user-specific public keys are included in the build for key pinning.

apks/auditor/customized-auditor.patch

@@ -1,4 +1,4 @@
-From c351ed984563d30bfab868d6f4472bed77556c25 Mon Sep 17 00:00:00 2001
+From c66421401af677b6d4b7ecdcc82e1b1648daa32e Mon Sep 17 00:00:00 2001
 From: Daniel Fullmer <[email protected]>
 Date: Sun, 14 Jul 2019 15:53:34 -0400
 Subject: [PATCH 1/4] Custom domain
@@ -21,10 +21,10 @@ index 78eb7c5..8d14f81 100644
      private static final String VERIFY_URL = "https://" + DOMAIN + "/verify";
      private static final int CONNECT_TIMEOUT = 60000;
 -- 
-2.23.0
+2.27.0
 
 
-From de016bffaa6f450f33fc260b57793fcd82870932 Mon Sep 17 00:00:00 2001
+From 4cc426aa31e66e64f8b7be590052b219d2a6b19f Mon Sep 17 00:00:00 2001
 From: Daniel Fullmer <[email protected]>
 Date: Sun, 14 Jul 2019 16:17:57 -0400
 Subject: [PATCH 2/4] Custom fingerprints
@@ -35,7 +35,7 @@ Subject: [PATCH 2/4] Custom fingerprints
  2 files changed, 10 insertions(+), 1 deletion(-)
 
 diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
-index a6eec61..aa2cf70 100644
+index 6c85d56..6008e67 100644
 --- a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
 +++ b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
 @@ -225,7 +225,7 @@ class AttestationProtocol {
@@ -47,43 +47,43 @@ index a6eec61..aa2cf70 100644
      private static final int OS_VERSION_MINIMUM = 80000;
      private static final int OS_PATCH_LEVEL_MINIMUM = 201801;
      private static final int VENDOR_PATCH_LEVEL_MINIMUM = 201808;
-@@ -307,6 +307,11 @@ class AttestationProtocol {
+@@ -313,6 +313,11 @@ class AttestationProtocol {
                      new DeviceInfo(R.string.device_pixel_2_generic, 2, 3, true, true, R.string.os_calyx))
              .put("B4DE537A5F4B8FDAB6789EB2C06EC6E065E48A79EDD493A91F635004DD89F3E2",
                      new DeviceInfo(R.string.device_pixel_3_generic, 3, 4, false /* uses new API */, true, R.string.os_calyx))
-+            // Robotnix (TODO: support multiple devices. Needs different key for each device?)
++            // NixDroidOS (TODO: support multiple devices. Needs different key for each device?)
 +            .put("@taimen_avbFingerprint@",
-+                    new DeviceInfo(R.string.device_pixel_2_generic, 2, 3, true, true, R.string.os_robotnix))
++                    new DeviceInfo(R.string.device_pixel_2_generic, 2, 3, true, true, R.string.os_nixdroid))
 +            .put("@crosshatch_avbFingerprint@",
-+                    new DeviceInfo(R.string.device_pixel_3_generic, 3, 4, false /* uses new API */, true, R.string.os_robotnix))
++                    new DeviceInfo(R.string.device_pixel_3_generic, 3, 4, false /* uses new API */, true, R.string.os_nixdroid))
              .build();
      private static final ImmutableMap<String, DeviceInfo> fingerprintsStock = ImmutableMap
              .<String, DeviceInfo>builder()
-@@ -440,6 +445,9 @@ class AttestationProtocol {
+@@ -452,6 +457,9 @@ class AttestationProtocol {
              // CalyxOS
              .put("B4DE537A5F4B8FDAB6789EB2C06EC6E065E48A79EDD493A91F635004DD89F3E2",
                      new DeviceInfo(R.string.device_pixel_3_generic, 3, 4, false /* uses new API */, true, R.string.os_calyx))
-+            // Robotnix
++            // NixDroidOS
 +            .put("@crosshatch_avbFingerprint@",
-+                    new DeviceInfo(R.string.device_pixel_3_generic, 3, 4, false /* uses new API */, true, R.string.os_robotnix))
++                    new DeviceInfo(R.string.device_pixel_3_generic, 3, 4, false /* uses new API */, true, R.string.os_nixdroid))
              .build();
      private static final ImmutableMap<String, DeviceInfo> fingerprintsStrongBoxStock = ImmutableMap
              .<String, DeviceInfo>builder()
 diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
-index 388bbed..e8eee1b 100644
+index 100130a..17864b6 100644
 --- a/app/src/main/res/values/strings.xml
 +++ b/app/src/main/res/values/strings.xml
-@@ -137,4 +137,5 @@
+@@ -140,4 +140,5 @@
      <string name="os_stock">Stock</string>
      <string name="os_graphene">GrapheneOS</string>
      <string name="os_calyx">CalyxOS</string>
-+    <string name="os_robotnix">Robotnix</string>
++    <string name="os_nixdroid">NixDroidOS</string>
  </resources>
 -- 
-2.23.0
+2.27.0
 
 
-From 1eb91d45fb829c38f672822ce817f1a0392be4ca Mon Sep 17 00:00:00 2001
+From 50e5e03ae5009c962bda1da5bec344959bde2e28 Mon Sep 17 00:00:00 2001
 From: Daniel Fullmer <[email protected]>
 Date: Sat, 24 Aug 2019 16:49:04 -0400
 Subject: [PATCH 3/4] Customize appId
@@ -94,20 +94,20 @@ Subject: [PATCH 3/4] Customize appId
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/app/build.gradle b/app/build.gradle
-index 0c5d811..48014a0 100644
+index b4c4ed7..167e083 100644
 --- a/app/build.gradle
 +++ b/app/build.gradle
 @@ -4,7 +4,7 @@ android {
      compileSdkVersion 29
-     buildToolsVersion "29.0.2"
+     buildToolsVersion "29.0.3"
      defaultConfig {
 -        applicationId "app.attestation.auditor"
 +        applicationId "@applicationId@"
          minSdkVersion 24
          targetSdkVersion 29
-         versionCode 17
+         versionCode 18
 diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
-index aa2cf70..27b0561 100644
+index 6008e67..c601388 100644
 --- a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
 +++ b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
 @@ -220,7 +220,7 @@ class AttestationProtocol {
@@ -120,29 +120,29 @@ index aa2cf70..27b0561 100644
      private static final String ATTESTATION_APP_SIGNATURE_DIGEST_DEBUG =
              "17727D8B61D55A864936B1A7B4A2554A15151F32EBCF44CDAA6E6C3258231890";
 -- 
-2.23.0
+2.27.0
 
 
-From e1aeadd29925df0f2bb6fb29c570b44ebc9ab240 Mon Sep 17 00:00:00 2001
+From fa069977cb507a69fb3708298daccf38deb8e351 Mon Sep 17 00:00:00 2001
 From: Daniel Fullmer <[email protected]>
 Date: Sat, 24 Aug 2019 17:03:03 -0400
-Subject: [PATCH 4/4] Change application name to Robotnix Auditor for clarity
+Subject: [PATCH 4/4] Change application name to NixDroid Auditor for clarity
 
 ---
  app/src/main/res/values/strings.xml | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
-index e8eee1b..8ee2b91 100644
+index 17864b6..2859adf 100644
 --- a/app/src/main/res/values/strings.xml
 +++ b/app/src/main/res/values/strings.xml
 @@ -1,5 +1,5 @@
  <resources>
 -    <string name="app_name">Auditor</string>
-+    <string name="app_name">Robotnix Auditor</string>
++    <string name="app_name">NixDroid Auditor</string>
      <string name="introduction">Two devices are needed to perform verification:\n\n- The device to be verified (Auditee), which needs to be one of the supported devices launched with Android 8.0+.\n\n- An Android 7.0+ device to perform the verification (Auditor).\n\nThe verification process requires sending data between the devices by scanning QR codes.</string>
      <string name="unsupported_auditee">Device is not one of the supported models with hardware-based attestation.</string>
      <string name="camera_permission_denied">Camera permission is required to scan QR codes. Please try again.</string>
 -- 
-2.23.0
+2.27.0
 

apks/auditor/default.nix

@@ -1,5 +1,5 @@
 # https://www.reddit.com/r/GrapheneOS/comments/bpcttk/avb_key_auditor_app/
-{ callPackage, lib, substituteAll, fetchFromGitHub, buildGradle, androidPkgs, jdk, gradle,
+{ callPackage, lib, substituteAll, fetchFromGitHub, androidPkgs, jdk, gradle,
   domain ? "example.org",
   applicationName ? "Robotnix Auditor",
   applicationId ? "org.robotnix.auditor",
@@ -8,19 +8,20 @@
   avbFingerprint ? ""
 }:
 let
-  androidsdk = androidPkgs.sdk (p: with p.stable; [ tools platforms.android-29 build-tools-29-0-2 ]);
+  androidsdk = androidPkgs.sdk (p: with p.stable; [ tools platforms.android-29 build-tools-29-0-3 ]);
+  buildGradle = callPackage ./gradle-env.nix {};
 in
 buildGradle rec {
   name = "Auditor-${version}.apk";
-  version = "17"; # Latest as of 2019-11-11
+  version = "18"; # Latest as of 2019-11-11
 
   envSpec = ./gradle-env.json;
 
   src = fetchFromGitHub {
     owner = "grapheneos";
     repo = "Auditor";
     rev = version;
-    sha256 = "143bvhxyvv5yk1c98kmdbj4qc6hn9snjqdmajwn778bxvwdyf0jl";
+    sha256 = "1w0zn2z0p7rrbwckrhzwifynja5arxa3gijvz6npsc08hws3nwxi";
   };
 
   patches = [
@@ -36,7 +37,7 @@ buildGradle rec {
   gradleFlags = [ "assembleRelease" ];
 
   ANDROID_HOME = "${androidsdk}/share/android-sdk";
-  nativeBuildInputs = [ jdk gradle ];
+  nativeBuildInputs = [ jdk ];
 
   installPhase = ''
     cp app/build/outputs/apk/release/app-release-unsigned.apk $out