CopperheadOS is an Android Open Source fork with a huge number of security improvements and no Google services included. I’ve been using it on my Nexus 5X for 6 months or so and it makes an excellent mobile OS.
As I currently depend on several apps which unfortunately require Google services (such as banking apps that require Google’s push notifications in order to confirm transactions), I build CopperheadOS from source and include MicroG, an open-source reimplementation of parts of Google Play Services that tries to respect your privacy somewhat more than Google’s closed-source implementation.
There are a few tricks involved in doing this that could be useful to others. You can generally follow the instructions on the Copperhead website but you’ll need to do the following additional steps:
Make OUT_DIR absolute
After the step where you source script/copperhead.sh, export an absolute path for OUT_DIR. This is where your build outputs will end up. Using an absolute path rather than the default relative path avoids a bug where symlinks get set up incorrectly for the MicroG apps.
Add the MicroG repositories
Before running repo sync, edit .repo/manifests/default.xml and add the following repositories just before the closing </manifest> at the end of the file. Don’t name the remote github because Copperhead already uses that name to point directly to their GitHub user.
<remote name="gh" fetch="https://github.com/" />
<project path="packages/apps/GmsCore" name="microg/android_packages_apps_GmsCore" remote="gh" revision="master" />
<project path="packages/apps/GsfProxy" name="microg/android_packages_apps_GsfProxy" remote="gh" revision="master" />
<project path="packages/apps/UnifiedNlp" name="microg/android_packages_apps_UnifiedNlp" remote="gh" revision="master" />
<project path="packages/apps/FakeStore" name="microg/android_packages_apps_FakeStore" remote="gh" revision="master" />
Add MicroG to the build script
Add the following lines towards the end of device/lge/bullhead/device.mk (or the device.mk file corresponding to the Android device you are building for):
PRODUCT_PACKAGES += \
GmsCore \
GsfProxy \
UnifiedNlp \
FakeStore
Apply the signature spoofing patch from the MicroG repository
pushd frameworks/base
wget -qO- https://raw.githubusercontent.com/microg/android_packages_apps_GmsCore/master/patches/android_frameworks_base-N.patch | patch -p1 --no-backup-if-mismatch
popd
The --no-backup-if-mismatch option is important. The patch applies with a little fuzz, and without this option, patch will write .orig backups that then get picked up by the Android resource system and cause the build to fail on duplicate resources.
Whitelist your release key for the F-Droid privileged extension
Before running make target-files-package, get the fingerprint of your release signing certificate (which you created as part of the Copperhead build instructions) using this command:
keytool -list -printcert -file releasekey.x509.pem | grep 'SHA256:' | tr -d ':' | cut -d ' ' -f 3
Insert this fingerprint into the file packages/apps/F-Droid/privileged-extension/app/src/main/java/org/fdroid/fdroid/privileged/ClientWhitelist.java. This allows the F-Droid app, which will be signed with your release key, to access the privileged extension to install apps and updates.
Install your new build
After building, follow the installation instructions on the Copperhead website to install the OS. The initial install will require wiping the device in order to unlock the bootloader. Subsequent updates can be performed without data loss by sideloading the OTA update file generated by the build.