AOSP Insider
AOSP Foundations
3 min read

Platform Keys & Release Keys

Understand the critical difference between generic AOSP test keys and the custom release keys required for commercial devices.

While the AOSP source tree provides a default set of cryptographic keys (the platform, shared, media, and testkey certificates), those default keys are publicly available on the internet. Anyone can download them from the Google Git repository.

If you flash an Android device using the default AOSP keys, any malicious actor can download the public platform key, sign their own malware with it, and install it on your device. The device will assume the malware is an official system app and grant it total, unrestricted root access.

Generating Custom Release Keys

To secure a commercial device before selling it to consumers, a manufacturer must completely delete the default AOSP keys and generate their own unique, highly guarded Release Keys.

AOSP provides a utility script in development/tools/make_key to generate these custom RSA cryptographic key pairs (.pk8 private key and .x509.pem public certificate).

# Example command to generate a highly secure 2048-bit RSA release key
development/tools/make_key releasekey '/C=US/ST=California/L=Mountain View/O=Google/OU=Android/CN=Android'

A hardware manufacturer will typically store these private release keys on a highly secure, offline air-gapped server to ensure they cannot be stolen by hackers.

The sign_target_files_apks Script

Because the private release keys are often stored on a separate, highly secure server, you cannot use them during the standard m compilation process.

Instead, AOSP utilizes a two-step signing architecture:

  1. Step 1 (The Build Server): The standard build server compiles the entire operating system using the generic, insecure public test keys. The output is a massive .zip file containing every compiled APK and framework binary (known as the target_files zip).
  2. Step 2 (The Secure Server): The target_files zip is transferred to the secure server. AOSP provides a script called sign_target_files_apks. This script cracks open the zip file, strips out all the insecure test signatures, and aggressively re-signs every single APK and system binary using the manufacturer's proprietary, secure release keys.

OTA Package Signing

Cryptographic keys are not just used for signing APKs; they are also used to sign Over-The-Air (OTA) system updates.

When a device downloads an OTA update zip, the Android Recovery environment strictly verifies the cryptographic signature of the entire package. It checks the signature against a public key permanently embedded in the device's /system partition.

If the manufacturer generated custom release keys, the device will only ever accept OTA updates signed by the manufacturer. If a hacker tries to push a malicious OS update over Wi-Fi, the signature verification will fail, and the Recovery environment will refuse to flash the package, ensuring the permanent integrity of the operating system.

Previous Lesson
APK Signing
Next Lesson
boot & init_boot Partitions