Update root CA certificates for legacy Android AppSupport system

General
1

Legacy devices like Jolla 1 and Jolla C use ancient AppSupport implementations (AlienDalvik), which are equivalent to Android 4.1 or 4.4 and never got updated with SFOS updates.

One problem emerging from this is the oudated list of root CA certificates bundled with AppSupport. Whenever an Android app (e. g. the F-Droid Classic store) contacts a website (e. g. a package repository) which relies on a newer root CA, the connection will be refused.

Installing the current root CA of Let’s Encrypt, as explained here: Root cert problems on AppSupport 4.4.4 - #2 by ugeuder, already solves many of the problems due to the popularity of Let’s Encrypt. But from time to time other root CAs are missing in the list. Then one needs to find out the relevant root CA, find and download the right certificate somewhere on the web and install this one as well.

I’m wondering how to update the complete root CA collection at once.

1 Like
2

The current root CA collection officially shipped with Android can be found here: files - platform/system/ca-certificates - Git at Google. To install this collection, proceed as follows:

  1. Create a folder, e.g. my-ca-certs in a suitable location (with a file brower or in the terminal with mkdir my-ca-certs).
  2. Download the archive of all certificates by clicking onto “tgz” in the website mentioned above and store it in your chosen folder. This should yield a file named ca-certificates-refs_heads_main-files.tar.gz.
  3. Assuming you are in your certificate folder from Step 1, create a subfolder, e. g. new, for extracting the archive:
    mkdir new
  4. Extract the certificates contained in the archive into the new folder:
    tar -xf ca-certificates-refs_heads_main-files.tar.gz -C new/
  5. Create a subfolder, e. g. bak, for backing-up the current certificate collection:
    mkdir bak
  6. Create a backup of the existing root certificate collection of the AppSupport system:
    cp /opt/alien/system/etc/security/cacerts/* bak/
  7. Copy the new certifcate collection into the AppSupport system:
    devel-su cp new/* /opt/alien/system/etc/security/cacerts/
5 Likes