ROMbsr solves the critical security flaw in Android ROM development: signing keys on build servers. Our innovative GitOps-based architecture ensures your signing keys NEVER leave the HSM, while providing complete automation, auditability, and resumable builds for GrapheneOS and CalyxOS.
Every Android ROM must be cryptographically signed for security. Traditional build systems require signing keys on build servers - a critical vulnerability. If your build server is compromised, your signing keys are exposed, allowing attackers to sign malicious ROMs as you. ROMbsr eliminates this risk entirely through architectural innovation.
Revolutionary architecture where signing keys NEVER leave the HSM. Build servers generate signing requests, not signatures. Even with root access to build infrastructure, attackers cannot access your keys.
Innovative use of Git as an immutable, cryptographically-verified queue. Every signing request and response is tracked, providing forensic-level auditability and enabling asynchronous, distributed workflows.
Sophisticated state machine tracks 9 build stages with transactional checkpoints. When a 6-hour build fails at hour 5, resume exactly where it stopped. No more starting from scratch.
Production-tested with systemd services, Prometheus metrics, structured logging, and Kubernetes support. Handles the scale of nightly builds for multiple devices across distributed infrastructure.
Modular design supports GrapheneOS and CalyxOS out-of-box. Each ROM's unique build requirements are abstracted into modules, while sharing common orchestration, state management, and signing infrastructure.
Implements security shift-left with request capture for builds. Unified CLI auto-detects environment and role. Structured logs, comprehensive metrics, and clear error messages designed for automation.
ROMbsr introduces several architectural innovations that make it a uniquely secure and reliable solution for Android ROM development, aligned with modern DevSecOps principles.
Unlike bolt-on HSM integrations, ROMbsr was designed from the ground up for HSM-based signing. Custom PKCS#11 libraries provide seamless abstraction. Build nodes use request capture (libmock_pkcs11.so), sign nodes use real HSM operations.
GitOps-based queue decouples build and sign operations. Build nodes push requests, sign nodes pull and process. This enables geographic distribution and air-gapped signing environments.
Separates APK signing, AVB chain-of-trust, and OTA metadata signing into distinct stages. Each stage has appropriate security controls and can be independently verified.
Request capture allows builds to complete without HSM access, deferring signing to secure nodes
Git history provides cryptographically-signed, tamper-evident logs of all operations
All HSM operations automated while maintaining security through role-based auth keys
Prometheus metrics track signing operations, key usage, and security events
No component trusts another by default; all operations verified cryptographically
Automated policy enforcement ensures signing follows security requirements
# Traditional Approach - Keys on Build Server (INSECURE)
$ cd android-build/
$ ./sign_target_files_apks -o \\
--default_key_mappings ~/.android-certs \\
target-files.zip signed-target-files.zip
# Risk: ~/.android-certs exposed if server compromised
# ROMbsr Approach - Keys Never Leave HSM (SECURE)
$ bin/rombsr build grapheneos shiba
# Creates signing requests, keys stay in HSM
$ bin/rombsr sign --continuous
# HSM processes requests, returns signatures onlyUnderstanding why ROMbsr's architecture is revolutionary requires comparing it to how Android ROMs are typically built and signed.
| Aspect | Traditional Approach | ROMbsr Approach |
|---|---|---|
| Key Storage | ❌ Signing keys on build server filesystem | ✅ Keys never leave HSM hardware |
| Security Model | ❌ Perimeter security (if server compromised, keys exposed) | ✅ Zero-trust (server compromise cannot expose keys) |
| Build Failures | ❌ Start 6-hour build from scratch | ✅ Resume from exact failure point |
| Audit Trail | ❌ Server logs (can be tampered) | ✅ Immutable Git history with cryptographic signatures |
| Build Process | ❌ Build tools need direct access to signing keys | ✅ Request capture allows builds without key access |
| Compliance | ❌ Difficult to prove key handling practices | ✅ Cryptographic proof of all operations |
Checkpoint-based resumption eliminates re-running successful build stages. A failed 6-hour build can be resumed in minutes instead of starting over.
Mathematical impossibility for signing keys to be extracted from HSM. Even with root access to all build infrastructure, attackers cannot sign malicious ROMs.
Every signing operation recorded in Git with cryptographic proof. Meets requirements for regulated industries and security audits.
ROMbsr is designed for organizations and projects that require enterprise-grade security for Android ROM development.
Challenge: Need custom Android builds for corporate devices with guaranteed security.
Solution: ROMbsr ensures signing keys are protected to financial-industry standards while enabling automated nightly builds.
Challenge: Projects like GrapheneOS require absolute key security to maintain user trust.
Solution: HSM integration and audit trails provide cryptographic proof that keys cannot be compromised.
Challenge: Regulatory requirements for key management and audit trails.
Solution: ROMbsr's architecture exceeds FIPS 140-2 Level 3 requirements with complete operation logging.
Challenge: HIPAA/PCI compliance requires proven security controls.
Solution: Immutable audit logs and HSM-based signing demonstrate compliance with data protection regulations.
Challenge: Need to sign firmware for thousands of Android-based devices securely.
Solution: Automated signing pipeline scales to handle high-volume production while maintaining security.
Challenge: Users need verifiable proof that ROMs haven't been tampered with.
Solution: Public audit logs and reproducible builds enable community verification of all releases.
Get up and running with ROMbsr in development mode in minutes
git clone https://github.com/xoraxiom/ROMbsr.git
cd rombsr
touch .rombsr-root # Enable development mode
make all # Build PKCS#11 librariesbin/rombsr init
# Creates configuration templates and directory structure
# Edit config/common.conf for your environment# Dry run to verify configuration
bin/rombsr build grapheneos shiba --dry-run
# Start actual build (4-6 hours, ~400GB space)
bin/rombsr build grapheneos shiba# On signing node with HSM attached
bin/rombsr sign --continuous
# Or process once
bin/rombsr sign --onceFor production environments, ROMbsr provides:
# Install systemd services
sudo cp contrib/systemd/*.service /etc/systemd/system/
sudo systemctl enable --now rombsr-sign.service
sudo systemctl enable --now rombsr-monitor.service
# Check metrics
curl http://localhost:9090/metrics | grep rombsr_