How to download the exact source code of a specific LineageOS Android build?
For example this one:
https://download.lineageos.org/FP3
sha256 039a65b5365acd4d570fab1c034f450f32f04ca6f5371602adc6a9736bffe015
lineage-19.1-20221031-nightly-FP3-signed.zip
Goal: being able to manually inspect the (Open Source) source code and verify that no arbitrary code has been manipulated in this specific build.
Preamble
When I download an app like Termux from F-Droid I can:
- verify the PGP signature (verifying package authority and integrity)
- inspect the build log (checking for controversial passages from unusual libraries)
- download the original source tarball and inspect the source code (most important for me)
How to do the last verification step on a specific LineageOS build?
Notes
- https://security.stackexchange.com/q/266348/ - this question migrated from the Information Security network
- https://wiki.lineageos.org/verifying-builds - page describing how to verify digital signature (not how to download the sources of a specific version)
- https://download.lineageos.org/FP3 - downloads for the Fairphone 3 where there is not the possibility to neither download the exact source code neither see the exact commit hash)
- https://wiki.lineageos.org/devices/FP3/build - how to build your own version (now about how to inspect the source code of an exact already-existing build)
- https://wiki.lineageos.org/signing_builds - how to sign my builds (same problem as above)
- https://mirrorbits.lineageos.org/full/FP3/20221114/lineage-19.1-20221114-nightly-FP3-signed.zip this is the URL of a specific build, but its parent directory cannot be visited https://mirrorbits.lineageos.org/full/FP3/20221114/ so I can't tell if there are any other files (like the source code tarball of that exact version)
- https://github.com/LineageOS/android_device_fairphone_FP3 AFAIK this is the repository of the Fairphone 3 (but I see no reference between the specific image in the download page, and its specific git tag or git hash etc.)
At the moment it seems to me that I have to take the date from the download page (e.g. 20221114) and manually guess the exact commit hash from the official repository. This seems to me an unscientific way to proceed.
Thank you for the clarification about how to download the exact source code of whatever specific official LineageOS build.
Short answer, you can't.
Long answer: you could, but in this way you won't ever get the same precise package. And (imho) you'll waste a ton of time and resources, too.
LineageOS has tons of repos, it's not just one repo. You could still sync the entire source from their manifest and checkout everything at a specific date, in your case at the test build's date. After that, you could build an unofficial build by yourself, using the LineageOS building guide. Though, it won't match precisely the official build because, among other factors, you're missing the signing key used to sign the official builds, which is private (as it should be). This is what differentiates an official build from an unofficial one.
Regarding the checkout part, you can check here regarding the latest commits added in that specific build.
Good luck!