Verifying the integrity of the source code¶

To ensure that nobody has tampered with the source code copy you received, it is recommended to verify the Git tags of all repositories. On the release branch, only signed tags are checked out in the Git repositories and the source code is "frozen" at a certain release version.

Tags are signed with different keys and you need to retrieve these GPG keys first. Repos that come from the Replicant group and the LineageOS mirror are signed with the same release key that was used for creating the corresponding release images.

Tags in repos that are directly synced from AOSP are signed with the key from the Android Open Source Project:
Key ID: E8AD3F819AB10E78
Fingerprint: 4340 D135 70EF 945E 8381 0964 E8AD 3F81 9AB1 0E78

The tags in the repo for the F-Droid Privileged Extension is signed with the key of its maintainer Hans-Christoph Steiner:
Key ID: E9E28DEA00AA5556
Fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556