WundermentOS started builds way back in 2019 and at the time the standard for Android encryption keys was 2048 bits, and as such our private signing keys were generated at this level.
Since that time, Android has moved to an even more secure 4096 and higher standard for newer versions. However, moving from one key to another is a significant hurdle and WundermentOS will not be attempting to replace the existing private keys of supported devices that began with the 2048 bit versions.
For new devices, new 4096 bit keys have been generated and will be used for all new devices added to the build roaster in the future, starting with the Pixel 5.
So what does this mean for you? Well, if you have WundermentOS currently installed, then there is nothing for you to do, you will continue to receive updates seamlessly in the future just as you always have.
If you are installing WundermentOS for the first time, there will be a few things to take note of:
- There will be two WundermentOS pkmd files moving forward; Wunderment-pkmd-2048.bin and Wunderment-pkmd-4096.bin. If there is no bit strength in the pkmd file name, assume it is the 2048 bit version.
- You must install the version of the pkmd file that matches the private keys that were used to sign your WundermentOS zip file. If you try and lock your bootloader with the wrong one, you will be presented with the red corrupt OS message duing boot.
- To simplify this change and ensure you have the right pkmd file during installation, the correct pkmd file will be included in the recovery zip for each device starting in November 2022.