Most modern manufacturers disallow unlocking the bootloader and flashing unsigned firmware, which is a requirement for this kind of thing.
c0l0•Feb 8, 2026
LineageOS isn't unsigned, it just happens to be signed by keys that are not "trusted" (i.e., allowed - thanks for the correction!) by the phone's bootloaders.
dijit•Feb 8, 2026
thats effectively the same thing.
The whole point of the majority of PKI (including secureboot) is that some third party agrees that the signature is valid; without that even though its “technically signed” it may as well not be.
c0l0•Feb 8, 2026
I disagree. If LineageOS builds were actually unsigned, I would have no way of verifying that release N was signed by the same private-key-bearing entity that signed release N-1, which I happen to have installed. It could be construed as the effective difference between a Trust On First Use (TOFU) vs. a Certificate Authority (CA) style ecosystem. I hope you can agree that TOFU is worth MUCH more than having no assurance about (continued) authorship at all.
dijit•Feb 8, 2026
Yes, I understand the value of signatures, but thats not how PKI works.
RedComet•Feb 8, 2026
If the owner of a device can't sign and install their own software, then your definition of PKI doesn't "work" at all.
The first party must be able to entirely decide that "some third party" for it to be anything more than an obfuscation of digital serfdom.
dijit•Feb 8, 2026
Did I misunderstand or HN is much stupider than I thought?
My definition of PKI is the one we’re using for TLS, some random array of “trusted” third parties can issue keys that are then validated against.
If you’re not in that list then signing can be valuable for other reasons, but PKI is not among them any longer as theres no distinction between self-signed and a semi-trusted entity: things will break.
If you expect your website to work with keys issued from your internal company CA; you would be surprised to find that random browsers distributed on the internet wouldn't trust it.
Wow, shocker.
Aachen•Feb 8, 2026
> My definition of PKI is the one we’re using for TLS, some random array of “trusted” third parties can issue keys
Maybe read the actual definition before assuming you're so much smarter than "HN". One doesn't need third parties to have pki, it's a concept, you can roll out your own
dijit•Feb 8, 2026
“read the actual definition”;stellar contribution there, mate. I checked and sure enough its exactly in line with my comments.
I’ve been discussing the practical implementation of PKI as it exists in the real world, specifically in the context of bootloader verification and TLS certificate validation. You know, the actual systems people use every day.
But please, do enlighten me with whatever Wikipedia definition you’ve just skimmed that you think contradicts anything I’ve said. Because here’s the thing: whether you want to pedantically define PKI as “any infrastructure involving public keys” or specifically as “a hierarchical trust model with certificate authorities,” my point stands completely unchanged.
In the context that spawned this entire thread, LineageOS and bootloader signature verification, there is a chain of trust, there are designated trusted authorities, and signatures outside that chain are rejected. That’s PKI. That’s how it works. That’s what I described.
If your objection is that I should have been more precise about distinguishing between “Web PKI” and “PKI generally,” then congratulations on missing the forest for the trees whilst simultaneously contributing absolutely nothing of substance to the discussion.
But sure, I’m the one who needs to read definitions. Perhaps you’d care to actually articulate which part of my explanation was functionally incorrect for the use case being discussed, rather than posting a single snarky sentence that says precisely nothing?
Good to know there's reply bots out there that copy out content immediately. I rarely run into edit conflicts (where someone reads before I add in another thing) but it happens, maybe this is why. Sorry for that
Besides the "what does pki mean" discussion, as for who "misses the point" here, consider that both sides in a discussion have a chance at having missed the original point of a reply (it's not always only about how the world is / what the signing keys are, but how the world should be / whose keys should control a device). But the previous post was already in such a tone that it really doesn't matter who's right, it's not a discussion worth having anymore
junon•Feb 8, 2026
You misunderstood, it appears.
dijit•Feb 8, 2026
Or its collective ignorance, can’t be sure.
Public key infrastructure without CAs isn’t a thing as far as I can see, I’m willing to be proven wrong, but I thought the I in PKI was all about the CA system.
We have PGP, but that's not PKI, thats peer-based public key cryptography.
close04•Feb 8, 2026
The difference between “PKI” and “just signing with a private key” is the trusted authority infrastructure. Without that you still get the benefit of signatures and some degree of verification, you can still validate what you install.
But in reality this trustworthiness check is handed over by the manufacturer to an infrastructure made up of these trusted parties in the owner’s name, and there’s nothing the owner can do about it. The owner may be able to validate software is signed with the expected key but still not be able to use it because the device wants PKI validation, not owner validation.
I’ve been self-signing stuff in my home and homelab for decades. Everything works just the same technically but step outside and my trustworthiness is 0 for everyone else who relies on PKI.
attila-lendvai•Feb 8, 2026
not allowed is a clearer language here.
snvzz•Feb 8, 2026
Because it is more profitable for smartphone makers if you need to buy a new one.
Unless there's legislation to force them to allow enrolling new keys or otherwise disabling secure boot, the abuse will continue.
realusername•Feb 8, 2026
Third party roms also do not include all the bloatware and spyware they are loading into the phone, they aren't a fan of losing control.
joecool1029•Feb 8, 2026
Takes time to bring up devices, LOS is a volunteer project, and manufacturers don’t send them devices like they used to. Finally, no matter what they rely on the manufacturers releasing kernel source for a release and some take months and ship squashed and/or incomplete source. Availability of bootloader unlocking is a factor but what I just said is the bigger reason for the delay.
spaqin•Feb 8, 2026
That's alright though. Recent devices still have manufacturer's support. LOS is a godsend for the older devices, often not as powerful as the new ones, that really need the lightweight, bloat free Android for smooth operation.
zozbot234•Feb 8, 2026
Yes, but note that very old devices will need mainline kernel support before newer AOSP/LineageOS releases can be ported to them. (Of course, this is also desirable as a way of supporting non-AOSP mobile Linux releases there, which are by far the most exciting development in the custom modding scene.) Old downstream kernels don't cut it any more.
ThatPlayer•Feb 8, 2026
Yeah, I kinda want to install on my LG V60, which no longer gets updates. But it breaks the dual screen on the phone, which is one of the unique features about this phone.
gogopowerranger•Feb 8, 2026
Doesn't matter at this point. It barely supports anything. Unless you mean a port from a random guy on xda. FU LOS devs.
throwaway270925•Feb 8, 2026
Are there any alternatives? For phones other than pixels? (Genuine question)
gear54rus•Feb 8, 2026
I run crdroid (now on pixel but before that it was xiaomi). I suggest your check it out.
fsflover•Feb 8, 2026
postmarketOS, Mobian.
JamesTRexx•Feb 8, 2026
I enjoyed LineageOS for years on my Samsung S4 until it finally broke from a fall.
It's a shame there was no image to install on my new Xcover 7, but not unexpected as it was a newly released phone. But I doubt there will be an alternative/stripped Android available for this model as I haven't seen anything supporting a Xcover version anywhere.
Best I can hope for is eventually a support for rooting and de-installing unwanted bloat with an app manager.
3 Comments
The whole point of the majority of PKI (including secureboot) is that some third party agrees that the signature is valid; without that even though its “technically signed” it may as well not be.
The first party must be able to entirely decide that "some third party" for it to be anything more than an obfuscation of digital serfdom.
My definition of PKI is the one we’re using for TLS, some random array of “trusted” third parties can issue keys that are then validated against.
If you’re not in that list then signing can be valuable for other reasons, but PKI is not among them any longer as theres no distinction between self-signed and a semi-trusted entity: things will break.
If you expect your website to work with keys issued from your internal company CA; you would be surprised to find that random browsers distributed on the internet wouldn't trust it.
Wow, shocker.
Maybe read the actual definition before assuming you're so much smarter than "HN". One doesn't need third parties to have pki, it's a concept, you can roll out your own
I’ve been discussing the practical implementation of PKI as it exists in the real world, specifically in the context of bootloader verification and TLS certificate validation. You know, the actual systems people use every day.
But please, do enlighten me with whatever Wikipedia definition you’ve just skimmed that you think contradicts anything I’ve said. Because here’s the thing: whether you want to pedantically define PKI as “any infrastructure involving public keys” or specifically as “a hierarchical trust model with certificate authorities,” my point stands completely unchanged.
In the context that spawned this entire thread, LineageOS and bootloader signature verification, there is a chain of trust, there are designated trusted authorities, and signatures outside that chain are rejected. That’s PKI. That’s how it works. That’s what I described.
If your objection is that I should have been more precise about distinguishing between “Web PKI” and “PKI generally,” then congratulations on missing the forest for the trees whilst simultaneously contributing absolutely nothing of substance to the discussion.
But sure, I’m the one who needs to read definitions. Perhaps you’d care to actually articulate which part of my explanation was functionally incorrect for the use case being discussed, rather than posting a single snarky sentence that says precisely nothing?
EDIT: your edit is much more nuanced but still misses the point; https://imgur.com/a/n2VwltC
Besides the "what does pki mean" discussion, as for who "misses the point" here, consider that both sides in a discussion have a chance at having missed the original point of a reply (it's not always only about how the world is / what the signing keys are, but how the world should be / whose keys should control a device). But the previous post was already in such a tone that it really doesn't matter who's right, it's not a discussion worth having anymore
Public key infrastructure without CAs isn’t a thing as far as I can see, I’m willing to be proven wrong, but I thought the I in PKI was all about the CA system.
We have PGP, but that's not PKI, thats peer-based public key cryptography.
But in reality this trustworthiness check is handed over by the manufacturer to an infrastructure made up of these trusted parties in the owner’s name, and there’s nothing the owner can do about it. The owner may be able to validate software is signed with the expected key but still not be able to use it because the device wants PKI validation, not owner validation.
I’ve been self-signing stuff in my home and homelab for decades. Everything works just the same technically but step outside and my trustworthiness is 0 for everyone else who relies on PKI.
Unless there's legislation to force them to allow enrolling new keys or otherwise disabling secure boot, the abuse will continue.