Verifying the integrity of the source code

To ensure that nobody has tampered with the source code copy you received, it is recommended to verify the Git tags of all repositories. On the release branch, only signed tags are checked out in the Git repositories and the source code is "frozen" at a certain release version.

Needed GPG keys

Tags are signed with different keys and you need to retrieve these GPG keys first.
Repos that come from the Replicant group and the LineageOS mirror are signed with the same release key that was used for creating the corresponding release images.

Tags in repos that are directly synced from AOSP are signed with the key from the Android Open Source Project:
Key ID: E8AD3F819AB10E78
Fingerprint: 4340 D135 70EF 945E 8381 0964 E8AD 3F81 9AB1 0E78

The tags in the repo for the F-Droid Privileged Extension is signed with the key of its maintainer Hans-Christoph Steiner:
Key ID: E9E28DEA00AA5556
Fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556

As with the Replicant release key, the other keys can be retrieved with:

gpg --recv-key KEY_ID


First, the tag in the manifest needs to be checked:

cd .repo/manifests
git verify-tag $(git describe)
cd ../..

Then all the other tags can be verified:

repo forall -ec ' { echo "Verifying $REPO_PROJECT" && git verify-tag $(git describe) 2>/dev/null; } || { echo "Error: verification failed!" && exit 1; } '

If the verification fails for a repo, Error: verification failed! is displayed. To investigate further in case an error happens, you can run git verify-tag $(git describe) in the repo where the error happens.

Updated by Wolfgang Wiedmeyer over 6 years ago · 5 revisions

Also available in: PDF HTML TXT