diff --git a/Patches/Common/android_vendor_divested/overlay/common/frameworks/base/core/res/res/values/config.xml b/Patches/Common/android_vendor_divested/overlay/common/frameworks/base/core/res/res/values/config.xml
index 24a3e667..b5252ba6 100644
--- a/Patches/Common/android_vendor_divested/overlay/common/frameworks/base/core/res/res/values/config.xml
+++ b/Patches/Common/android_vendor_divested/overlay/common/frameworks/base/core/res/res/values/config.xml
@@ -123,10 +123,10 @@
<string-array name="config_locationProviderPackageNames" translatable="false">
<!-- The standard AOSP fused location provider -->
<item>com.android.location.fused</item>
- <!-- UnifiedNLP -->
- <item>org.microg.nlp</item>
- <!-- Play/microG -->
- <item>com.google.android.gms</item>
+ <!-- UnifiedNLP
+ <item>org.microg.nlp</item> -->
+ <!-- Play/microG
+ <item>com.google.android.gms</item> -->
</string-array>
<!-- Package name providing Hardware Activity-Recognition API support. Used only when
diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0021-Hardened-signature-spoofing.patch b/Patches/LineageOS-17.1/android_frameworks_base/0021-Hardened-signature-spoofing.patch
new file mode 100644
index 00000000..00470dae
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0021-Hardened-signature-spoofing.patch
@@ -0,0 +1,137 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Mon, 3 Jul 2023 12:00:12 -0400
+Subject: [PATCH] Hardened signature spoofing
+
+- Must be enabled by user
+- Must match microG package ID
+- Must match official microG build signing key
+- Only spoofs the Google package signature
+
+This is an effective merge + tweak of two existing patches, credits:
+ Dylanger Daly
+ https://github.com/dylangerdaly/platform_frameworks_base/commit/b58aa11631fadab3309a1d9268118bd9f2c2a79f
+ Chirayu Desai of CalyxOS
+ https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/76485abb36dc01b65506b010d0458e96e0116369
+
+Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
+---
+ .../android/content/pm/PackageParser.java | 32 +++++++++++++++
+ core/res/res/values/config.xml | 2 +
+ .../server/pm/PackageManagerService.java | 40 ++++++++++++++++++-
+ 3 files changed, 72 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
+index 7f728febe5d9..119603e6c266 100644
+--- a/core/java/android/content/pm/PackageParser.java
++++ b/core/java/android/content/pm/PackageParser.java
+@@ -6346,6 +6346,38 @@ public class PackageParser {
+ return false;
+ }
+
++ /**
++ * Return the Cerificate's Digest
++ */
++ public @Nullable String getSha256Certificate() {
++ return getSha256CertificateInternal();
++ }
++
++ private @Nullable String getSha256CertificateInternal() {
++ String digest;
++ if (this == UNKNOWN) {
++ return null;
++ }
++ if (hasPastSigningCertificates()) {
++
++ // check all past certs, except for the last one, which automatically gets all
++ // capabilities, since it is the same as the current signature, and is checked below
++ for (int i = 0; i < pastSigningCertificates.length - 1; i++) {
++ digest = PackageUtils.computeSha256Digest(
++ pastSigningCertificates[i].toByteArray());
++ return digest;
++ }
++ }
++
++ // not in previous certs signing history, just check the current signer
++ if (signatures.length == 1) {
++ digest =
++ PackageUtils.computeSha256Digest(signatures[0].toByteArray());
++ return digest;
++ }
++ return null;
++ }
++
+ /** Returns true if the signatures in this and other match exactly. */
+ public boolean signaturesMatchExactly(SigningDetails other) {
+ return Signature.areExactMatch(this.signatures, other.signatures);
+diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
+index a84d23b624bf..89754ba11ef2 100644
+--- a/core/res/res/values/config.xml
++++ b/core/res/res/values/config.xml
+@@ -1875,6 +1875,8 @@
+ <string-array name="config_locationProviderPackageNames" translatable="false">
+ <!-- The standard AOSP fused location provider -->
+ <item>com.android.location.fused</item>
++ <!-- The (faked) microg fused location provider (a free reimplementation)
++ <item>com.google.android.gms</item> -->
+ </string-array>
+
+ <!-- This string array can be overriden to enable test location providers initially. -->
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 1bd1396c6d45..1831c3770f51 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -4203,8 +4203,19 @@ public class PackageManagerService extends IPackageManager.Stub
+ });
+ }
+
+- PackageInfo packageInfo = PackageParser.generatePackageInfo(p, gids, flags,
+- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId);
++ // Allow microG GmsCore and FakeStore to spoof signature
++ final boolean isMicroG = ArrayUtils.contains(MICROG_FAKE_SIGNATURE_PACKAGES,
++ p.getPackageName());
++ PackageInfo packageInfo;
++ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
++ packageInfo = fakeSignature(p, PackageParser.generatePackageInfo(p, gids, flags,
++ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
++ userId, ps), permissions);
++ } else {
++ packageInfo =PackageParser.generatePackageInfo(p, gids, flags,
++ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
++ userId, ps);
++ }
+
+ if (packageInfo == null) {
+ return null;
+@@ -4240,6 +4251,31 @@ public class PackageManagerService extends IPackageManager.Stub
+ }
+ }
+
++ // The setting to control spoofing enablement.
++ private static final String SPOOF_CONTROL = "persist.security.sigspoof";
++ // The Google signature faked by microG.
++ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
++ // The signing key hash of official microG builds.
++ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
++ // List of packages which require signature spoofing.
++ private static final String[] MICROG_FAKE_SIGNATURE_PACKAGES = new String[] { "com.google.android.gms", "com.android.vending" };
++
++ private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi,
++ Set<String> permissions) {
++ String hash = p.getSigningDetails().getSha256Certificate();
++ try {
++ if (hash.equals(MICROG_HASH)) {
++ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
++ if (DEBUG_PACKAGE_INFO) {
++ Log.v(TAG, "Spoofing signature for microG");
++ }
++ }
++ } catch (Throwable t) {
++ Log.w("Unable to fake signature!", t);
++ }
++ return pi;
++ }
++
+ @Override
+ public void checkPackageStartable(String packageName, int userId) {
+ final int callingUid = Binder.getCallingUid();
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch
index 612fd4a9..044893f7 100644
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch
@@ -55,7 +55,7 @@ index b983f467df..5813bb18db 100644
<item msgid="6490061470416867723">Small</item>
<item msgid="3579015730662088893">Default</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
-index f6e3b0f62d..8f4a3c6115 100644
+index 2180ea45f6..eeee1c039f 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -810,6 +810,9 @@
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch
index b6195ddb..bbed0a6d 100644
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch
@@ -67,7 +67,7 @@ index 5813bb18db..40d01907a4 100644
<string-array name="screen_timeout_entries">
<item>15 seconds</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
-index 8f4a3c6115..ef517e8503 100644
+index eeee1c039f..c5287c4489 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -25,6 +25,25 @@
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch
index 3f80d913..173fb8a7 100644
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch
@@ -67,7 +67,7 @@ index 40d01907a4..0a9a9a31e8 100644
<string-array name="screen_timeout_entries">
<item>15 seconds</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
-index ef517e8503..228d9570dd 100644
+index c5287c4489..0f254706ff 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -44,6 +44,25 @@
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch
index 0110274c..e9348fc6 100644
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch
@@ -12,7 +12,7 @@ Subject: [PATCH] add native debugging setting
create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml
-index 228d9570dd..d965a63b0d 100644
+index 0f254706ff..fcac812417 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -11316,6 +11316,9 @@
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch
index 6327853e..e7e6b123 100644
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch
@@ -12,7 +12,7 @@ Subject: [PATCH] add exec spawning toggle
create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml
-index d965a63b0d..e7dcf62ddc 100644
+index fcac812417..197882d66e 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -11316,6 +11316,8 @@
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0011-LTE_Only_Mode.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0011-LTE_Only_Mode.patch
index 7d2d6166..4ba8b5b0 100644
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0011-LTE_Only_Mode.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0011-LTE_Only_Mode.patch
@@ -106,7 +106,7 @@ index 6d95bcc58b..072004e447 100644
<item>"18"</item>
<item>"1"</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml
-index e7dcf62ddc..fedb9f3fde 100644
+index 197882d66e..88bd100122 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -10942,6 +10942,8 @@
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0012-hosts_toggle.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0012-hosts_toggle.patch
index 44750f22..0381aa75 100644
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0012-hosts_toggle.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0012-hosts_toggle.patch
@@ -16,7 +16,7 @@ Change-Id: Ic01a142722372d9d57f52947025cd9db23e58ef4
create mode 100644 src/com/android/settings/security/HostsPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml
-index fedb9f3fde..b5dbdc7d81 100644
+index 88bd100122..a64940d793 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -11327,6 +11327,9 @@
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/0014-signature_spoofing_toggle.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/0014-signature_spoofing_toggle.patch
new file mode 100644
index 00000000..aee409a5
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0014-signature_spoofing_toggle.patch
@@ -0,0 +1,172 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Wed, 20 Apr 2022 01:04:27 -0400
+Subject: [PATCH] Add a toggle to opt-in to restricted signature spoofing
+
+Copy and pasted from the GrapheneOS exec spawning toggle patch
+
+Change-Id: Ibea6ea9bed1c2ae3491f403d9e5c17c1d1c403f1
+Signed-off-by: Tad <tad@spotco.us>
+---
+ res/values/strings.xml | 3 +
+ res/xml/security_dashboard_settings.xml | 6 +
+ .../settings/security/SecuritySettings.java | 1 +
+ .../SigSpoofPreferenceController.java | 106 ++++++++++++++++++
+ 4 files changed, 116 insertions(+)
+ create mode 100644 src/com/android/settings/security/SigSpoofPreferenceController.java
+
+diff --git a/res/values/strings.xml b/res/values/strings.xml
+index a64940d793..a0149bc124 100644
+--- a/res/values/strings.xml
++++ b/res/values/strings.xml
+@@ -11330,6 +11330,9 @@
+ <string name="hosts_disable_title">Disable DNS content blocker</string>
+ <string name="hosts_disable_summary">Disables use of the included /etc/hosts database for data collection and malware blocking.</string>
+
++ <string name="sig_spoof_title">microG enablement (not recommended)</string>
++ <string name="sig_spoof_summary">Allows official builds of microG apps to spoof the Google signature. Not supported, not recommended. May break apps and/or degrade their security model. Notes: 1) microG connects directly to Google, 2) microG can download/execute proprietary code from Google, 3) apps talking to microG do so using proprietary Google libraries.</string>
++
+ <!-- Title for the top level Privacy Settings [CHAR LIMIT=30]-->
+ <string name="privacy_dashboard_title">Privacy</string>
+ <!-- Summary for the top level Privacy Settings [CHAR LIMIT=NONE]-->
+diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
+index 23a39d3106..c5a6c8cada 100644
+--- a/res/xml/security_dashboard_settings.xml
++++ b/res/xml/security_dashboard_settings.xml
+@@ -81,6 +81,12 @@
+ android:title="@string/hosts_disable_title"
+ android:summary="@string/hosts_disable_summary"
+ android:persistent="false" />
++
++ <SwitchPreference
++ android:key="sig_spoof"
++ android:title="@string/sig_spoof_title"
++ android:summary="@string/sig_spoof_summary"
++ android:persistent="false" />
+ </PreferenceCategory>
+
+ <!-- work profile security section -->
+diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
+index 88ba2ece3a..3ba3f518b0 100644
+--- a/src/com/android/settings/security/SecuritySettings.java
++++ b/src/com/android/settings/security/SecuritySettings.java
+@@ -124,6 +124,7 @@ public class SecuritySettings extends DashboardFragment {
+ securityPreferenceControllers.add(new ExecSpawnPreferenceController(context));
+ securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
+ securityPreferenceControllers.add(new HostsPreferenceController(context));
++ securityPreferenceControllers.add(new SigSpoofPreferenceController(context));
+ controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
+ .setChildren(securityPreferenceControllers));
+ controllers.addAll(securityPreferenceControllers);
+diff --git a/src/com/android/settings/security/SigSpoofPreferenceController.java b/src/com/android/settings/security/SigSpoofPreferenceController.java
+new file mode 100644
+index 0000000000..258b59b0b0
+--- /dev/null
++++ b/src/com/android/settings/security/SigSpoofPreferenceController.java
+@@ -0,0 +1,106 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License
++ */
++
++package com.android.settings.security;
++
++import android.content.Context;
++
++import android.os.UserHandle;
++import android.os.UserManager;
++import android.os.SystemProperties;
++
++import android.provider.Settings;
++
++import androidx.preference.Preference;
++import androidx.preference.PreferenceCategory;
++import androidx.preference.PreferenceGroup;
++import androidx.preference.PreferenceScreen;
++import androidx.preference.TwoStatePreference;
++import androidx.preference.SwitchPreference;
++
++import com.android.internal.widget.LockPatternUtils;
++import com.android.settings.core.PreferenceControllerMixin;
++import com.android.settingslib.core.AbstractPreferenceController;
++import com.android.settingslib.core.lifecycle.events.OnResume;
++
++public class SigSpoofPreferenceController extends AbstractPreferenceController
++ implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener {
++
++ private static final String SYS_KEY_SIG_SPOOF_ENABLE = "persist.security.sigspoof";
++ private static final String PREF_KEY_SIG_SPOOF_ENABLE = "sig_spoof";
++ private static final String PREF_KEY_SECURITY_CATEGORY = "security_category";
++
++ private PreferenceCategory mSecurityCategory;
++ private SwitchPreference mSigSpoofEnable;
++ private boolean mIsAdmin;
++ private UserManager mUm;
++
++ public SigSpoofPreferenceController(Context context) {
++ super(context);
++ mUm = UserManager.get(context);
++ }
++
++ @Override
++ public void displayPreference(PreferenceScreen screen) {
++ super.displayPreference(screen);
++ mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY);
++ updatePreferenceState();
++ }
++
++ @Override
++ public boolean isAvailable() {
++ mIsAdmin = mUm.isAdminUser();
++ return mIsAdmin;
++ }
++
++ @Override
++ public String getPreferenceKey() {
++ return PREF_KEY_SIG_SPOOF_ENABLE;
++ }
++
++ // TODO: should we use onCreatePreferences() instead?
++ private void updatePreferenceState() {
++ if (mSecurityCategory == null) {
++ return;
++ }
++
++ if (mIsAdmin) {
++ mSigSpoofEnable = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_SIG_SPOOF_ENABLE);
++ mSigSpoofEnable.setChecked(SystemProperties.getInt(SYS_KEY_SIG_SPOOF_ENABLE, 0) == 1);
++ } else {
++ mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_SIG_SPOOF_ENABLE));
++ }
++ }
++
++ @Override
++ public void onResume() {
++ updatePreferenceState();
++ if (mSigSpoofEnable != null) {
++ boolean mode = mSigSpoofEnable.isChecked();
++ SystemProperties.set(SYS_KEY_SIG_SPOOF_ENABLE, mode ? "1" : "0");
++ }
++ }
++
++ @Override
++ public boolean onPreferenceChange(Preference preference, Object value) {
++ final String key = preference.getKey();
++ if (PREF_KEY_SIG_SPOOF_ENABLE.equals(key)) {
++ final boolean mode = !mSigSpoofEnable.isChecked();
++ SystemProperties.set(SYS_KEY_SIG_SPOOF_ENABLE, mode ? "1" : "0");
++ }
++ return true;
++ }
++}
diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0024-Hardened-signature-spoofing.patch b/Patches/LineageOS-18.1/android_frameworks_base/0024-Hardened-signature-spoofing.patch
new file mode 100644
index 00000000..12f3a439
--- /dev/null
+++ b/Patches/LineageOS-18.1/android_frameworks_base/0024-Hardened-signature-spoofing.patch
@@ -0,0 +1,137 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Mon, 3 Jul 2023 12:00:12 -0400
+Subject: [PATCH] Hardened signature spoofing
+
+- Must be enabled by user
+- Must match microG package ID
+- Must match official microG build signing key
+- Only spoofs the Google package signature
+
+This is an effective merge + tweak of two existing patches, credits:
+ Dylanger Daly
+ https://github.com/dylangerdaly/platform_frameworks_base/commit/b58aa11631fadab3309a1d9268118bd9f2c2a79f
+ Chirayu Desai of CalyxOS
+ https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/76485abb36dc01b65506b010d0458e96e0116369
+
+Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
+---
+ .../android/content/pm/PackageParser.java | 32 +++++++++++++++
+ core/res/res/values/config.xml | 2 +
+ .../server/pm/PackageManagerService.java | 40 ++++++++++++++++++-
+ 3 files changed, 72 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
+index 57f8a713ec13..ec2cf1ace99f 100644
+--- a/core/java/android/content/pm/PackageParser.java
++++ b/core/java/android/content/pm/PackageParser.java
+@@ -6457,6 +6457,38 @@ public class PackageParser {
+ return false;
+ }
+
++ /**
++ * Return the Cerificate's Digest
++ */
++ public @Nullable String getSha256Certificate() {
++ return getSha256CertificateInternal();
++ }
++
++ private @Nullable String getSha256CertificateInternal() {
++ String digest;
++ if (this == UNKNOWN) {
++ return null;
++ }
++ if (hasPastSigningCertificates()) {
++
++ // check all past certs, except for the last one, which automatically gets all
++ // capabilities, since it is the same as the current signature, and is checked below
++ for (int i = 0; i < pastSigningCertificates.length - 1; i++) {
++ digest = PackageUtils.computeSha256Digest(
++ pastSigningCertificates[i].toByteArray());
++ return digest;
++ }
++ }
++
++ // not in previous certs signing history, just check the current signer
++ if (signatures.length == 1) {
++ digest =
++ PackageUtils.computeSha256Digest(signatures[0].toByteArray());
++ return digest;
++ }
++ return null;
++ }
++
+ /** Returns true if the signatures in this and other match exactly. */
+ public boolean signaturesMatchExactly(SigningDetails other) {
+ return Signature.areExactMatch(this.signatures, other.signatures);
+diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
+index f4efcc7e4eec..6ff71f0e6d2e 100644
+--- a/core/res/res/values/config.xml
++++ b/core/res/res/values/config.xml
+@@ -1654,6 +1654,8 @@
+ <string-array name="config_locationProviderPackageNames" translatable="false">
+ <!-- The standard AOSP fused location provider -->
+ <item>com.android.location.fused</item>
++ <!-- The (faked) microg fused location provider (a free reimplementation)
++ <item>com.google.android.gms</item> -->
+ </string-array>
+
+ <!-- This string array can be overriden to enable test location providers initially. -->
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 9611b381942c..900ba7ba68d2 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -4465,8 +4465,19 @@ public class PackageManagerService extends IPackageManager.Stub
+ });
+ }
+
+- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
+- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
++ // Allow microG GmsCore and FakeStore to spoof signature
++ final boolean isMicroG = ArrayUtils.contains(MICROG_FAKE_SIGNATURE_PACKAGES,
++ p.getPackageName());
++ PackageInfo packageInfo;
++ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
++ packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
++ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
++ userId, ps), permissions);
++ } else {
++ packageInfo = PackageInfoUtils.generate(p, gids, flags,
++ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
++ userId, ps);
++ }
+
+ if (packageInfo == null) {
+ return null;
+@@ -4502,6 +4513,31 @@ public class PackageManagerService extends IPackageManager.Stub
+ }
+ }
+
++ // The setting to control spoofing enablement.
++ private static final String SPOOF_CONTROL = "persist.security.sigspoof";
++ // The Google signature faked by microG.
++ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
++ // The signing key hash of official microG builds.
++ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
++ // List of packages which require signature spoofing.
++ private static final String[] MICROG_FAKE_SIGNATURE_PACKAGES = new String[] { "com.google.android.gms", "com.android.vending" };
++
++ private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi,
++ Set<String> permissions) {
++ String hash = p.getSigningDetails().getSha256Certificate();
++ try {
++ if (hash.equals(MICROG_HASH)) {
++ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
++ if (DEBUG_PACKAGE_INFO) {
++ Log.v(TAG, "Spoofing signature for microG");
++ }
++ }
++ } catch (Throwable t) {
++ Log.w("Unable to fake signature!", t);
++ }
++ return pi;
++ }
++
+ @Override
+ public void checkPackageStartable(String packageName, int userId) {
+ final int callingUid = Binder.getCallingUid();
diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/0015-signature_spoofing_toggle.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/0015-signature_spoofing_toggle.patch
new file mode 100644
index 00000000..8d094f64
--- /dev/null
+++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/0015-signature_spoofing_toggle.patch
@@ -0,0 +1,172 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Wed, 20 Apr 2022 01:04:27 -0400
+Subject: [PATCH] Add a toggle to opt-in to restricted signature spoofing
+
+Copy and pasted from the GrapheneOS exec spawning toggle patch
+
+Change-Id: Ibea6ea9bed1c2ae3491f403d9e5c17c1d1c403f1
+Signed-off-by: Tad <tad@spotco.us>
+---
+ res/values/strings.xml | 3 +
+ res/xml/security_dashboard_settings.xml | 6 +
+ .../settings/security/SecuritySettings.java | 1 +
+ .../SigSpoofPreferenceController.java | 106 ++++++++++++++++++
+ 4 files changed, 116 insertions(+)
+ create mode 100644 src/com/android/settings/security/SigSpoofPreferenceController.java
+
+diff --git a/res/values/strings.xml b/res/values/strings.xml
+index 5af3638555..6d410415bc 100644
+--- a/res/values/strings.xml
++++ b/res/values/strings.xml
+@@ -11972,6 +11972,9 @@
+ <string name="hosts_disable_title">Disable DNS content blocker</string>
+ <string name="hosts_disable_summary">Disables use of the included /etc/hosts database for data collection and malware blocking.</string>
+
++ <string name="sig_spoof_title">microG enablement (not recommended)</string>
++ <string name="sig_spoof_summary">Allows official builds of microG apps to spoof the Google signature. Not supported, not recommended. May break apps and/or degrade their security model. Notes: 1) microG connects directly to Google, 2) microG can download/execute proprietary code from Google, 3) apps talking to microG do so using proprietary Google libraries.</string>
++
+ <!-- Title for the top level Privacy Settings [CHAR LIMIT=30]-->
+ <string name="privacy_dashboard_title">Privacy</string>
+ <!-- Summary for the top level Privacy Settings [CHAR LIMIT=NONE]-->
+diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
+index 62d42246a3..21ce054889 100644
+--- a/res/xml/security_dashboard_settings.xml
++++ b/res/xml/security_dashboard_settings.xml
+@@ -81,6 +81,12 @@
+ android:title="@string/hosts_disable_title"
+ android:summary="@string/hosts_disable_summary"
+ android:persistent="false" />
++
++ <SwitchPreference
++ android:key="sig_spoof"
++ android:title="@string/sig_spoof_title"
++ android:summary="@string/sig_spoof_summary"
++ android:persistent="false" />
+ </PreferenceCategory>
+
+ <!-- work profile security section -->
+diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
+index 0fbcd27104..5248d74c37 100644
+--- a/src/com/android/settings/security/SecuritySettings.java
++++ b/src/com/android/settings/security/SecuritySettings.java
+@@ -122,6 +122,7 @@ public class SecuritySettings extends DashboardFragment {
+ securityPreferenceControllers.add(new ExecSpawnPreferenceController(context));
+ securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
+ securityPreferenceControllers.add(new HostsPreferenceController(context));
++ securityPreferenceControllers.add(new SigSpoofPreferenceController(context));
+ controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
+ .setChildren(securityPreferenceControllers));
+ controllers.addAll(securityPreferenceControllers);
+diff --git a/src/com/android/settings/security/SigSpoofPreferenceController.java b/src/com/android/settings/security/SigSpoofPreferenceController.java
+new file mode 100644
+index 0000000000..258b59b0b0
+--- /dev/null
++++ b/src/com/android/settings/security/SigSpoofPreferenceController.java
+@@ -0,0 +1,106 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License
++ */
++
++package com.android.settings.security;
++
++import android.content.Context;
++
++import android.os.UserHandle;
++import android.os.UserManager;
++import android.os.SystemProperties;
++
++import android.provider.Settings;
++
++import androidx.preference.Preference;
++import androidx.preference.PreferenceCategory;
++import androidx.preference.PreferenceGroup;
++import androidx.preference.PreferenceScreen;
++import androidx.preference.TwoStatePreference;
++import androidx.preference.SwitchPreference;
++
++import com.android.internal.widget.LockPatternUtils;
++import com.android.settings.core.PreferenceControllerMixin;
++import com.android.settingslib.core.AbstractPreferenceController;
++import com.android.settingslib.core.lifecycle.events.OnResume;
++
++public class SigSpoofPreferenceController extends AbstractPreferenceController
++ implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener {
++
++ private static final String SYS_KEY_SIG_SPOOF_ENABLE = "persist.security.sigspoof";
++ private static final String PREF_KEY_SIG_SPOOF_ENABLE = "sig_spoof";
++ private static final String PREF_KEY_SECURITY_CATEGORY = "security_category";
++
++ private PreferenceCategory mSecurityCategory;
++ private SwitchPreference mSigSpoofEnable;
++ private boolean mIsAdmin;
++ private UserManager mUm;
++
++ public SigSpoofPreferenceController(Context context) {
++ super(context);
++ mUm = UserManager.get(context);
++ }
++
++ @Override
++ public void displayPreference(PreferenceScreen screen) {
++ super.displayPreference(screen);
++ mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY);
++ updatePreferenceState();
++ }
++
++ @Override
++ public boolean isAvailable() {
++ mIsAdmin = mUm.isAdminUser();
++ return mIsAdmin;
++ }
++
++ @Override
++ public String getPreferenceKey() {
++ return PREF_KEY_SIG_SPOOF_ENABLE;
++ }
++
++ // TODO: should we use onCreatePreferences() instead?
++ private void updatePreferenceState() {
++ if (mSecurityCategory == null) {
++ return;
++ }
++
++ if (mIsAdmin) {
++ mSigSpoofEnable = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_SIG_SPOOF_ENABLE);
++ mSigSpoofEnable.setChecked(SystemProperties.getInt(SYS_KEY_SIG_SPOOF_ENABLE, 0) == 1);
++ } else {
++ mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_SIG_SPOOF_ENABLE));
++ }
++ }
++
++ @Override
++ public void onResume() {
++ updatePreferenceState();
++ if (mSigSpoofEnable != null) {
++ boolean mode = mSigSpoofEnable.isChecked();
++ SystemProperties.set(SYS_KEY_SIG_SPOOF_ENABLE, mode ? "1" : "0");
++ }
++ }
++
++ @Override
++ public boolean onPreferenceChange(Preference preference, Object value) {
++ final String key = preference.getKey();
++ if (PREF_KEY_SIG_SPOOF_ENABLE.equals(key)) {
++ final boolean mode = !mSigSpoofEnable.isChecked();
++ SystemProperties.set(SYS_KEY_SIG_SPOOF_ENABLE, mode ? "1" : "0");
++ }
++ return true;
++ }
++}
diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0031-Hardened-signature-spoofing.patch b/Patches/LineageOS-19.1/android_frameworks_base/0031-Hardened-signature-spoofing.patch
new file mode 100644
index 00000000..b2f918a2
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_frameworks_base/0031-Hardened-signature-spoofing.patch
@@ -0,0 +1,137 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Mon, 3 Jul 2023 12:00:12 -0400
+Subject: [PATCH] Hardened signature spoofing
+
+- Must be enabled by user
+- Must match microG package ID
+- Must match official microG build signing key
+- Only spoofs the Google package signature
+
+This is an effective merge + tweak of two existing patches, credits:
+ Dylanger Daly
+ https://github.com/dylangerdaly/platform_frameworks_base/commit/b58aa11631fadab3309a1d9268118bd9f2c2a79f
+ Chirayu Desai of CalyxOS
+ https://gitlab.com/CalyxOS/platform_frameworks_base/-/commit/76485abb36dc01b65506b010d0458e96e0116369
+
+Change-Id: I64a252aac9bb196a11ed7b4b5d8c7e59a3413bd4
+---
+ .../android/content/pm/PackageParser.java | 32 +++++++++++++++
+ core/res/res/values/config.xml | 2 +
+ .../server/pm/PackageManagerService.java | 40 ++++++++++++++++++-
+ 3 files changed, 72 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
+index f92c2951fdef..052d7db60379 100644
+--- a/core/java/android/content/pm/PackageParser.java
++++ b/core/java/android/content/pm/PackageParser.java
+@@ -6567,6 +6567,38 @@ public class PackageParser {
+ return false;
+ }
+
++ /**
++ * Return the Cerificate's Digest
++ */
++ public @Nullable String getSha256Certificate() {
++ return getSha256CertificateInternal();
++ }
++
++ private @Nullable String getSha256CertificateInternal() {
++ String digest;
++ if (this == UNKNOWN) {
++ return null;
++ }
++ if (hasPastSigningCertificates()) {
++
++ // check all past certs, except for the last one, which automatically gets all
++ // capabilities, since it is the same as the current signature, and is checked below
++ for (int i = 0; i < pastSigningCertificates.length - 1; i++) {
++ digest = PackageUtils.computeSha256Digest(
++ pastSigningCertificates[i].toByteArray());
++ return digest;
++ }
++ }
++
++ // not in previous certs signing history, just check the current signer
++ if (signatures.length == 1) {
++ digest =
++ PackageUtils.computeSha256Digest(signatures[0].toByteArray());
++ return digest;
++ }
++ return null;
++ }
++
+ /** Returns true if the signatures in this and other match exactly. */
+ public boolean signaturesMatchExactly(SigningDetails other) {
+ return Signature.areExactMatch(this.signatures, other.signatures);
+diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
+index a7d55479d2c3..c3616d28dd66 100644
+--- a/core/res/res/values/config.xml
++++ b/core/res/res/values/config.xml
+@@ -1804,6 +1804,8 @@
+ <string-array name="config_locationProviderPackageNames" translatable="false">
+ <!-- The standard AOSP fused location provider -->
+ <item>com.android.location.fused</item>
++ <!-- The (faked) microg fused location provider (a free reimplementation)
++ <item>com.google.android.gms</item> -->
+ </string-array>
+
+ <!-- Package name(s) of Advanced Driver Assistance applications. These packages have additional
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 5bbde18f7e9e..fee7dc331558 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -3362,8 +3362,19 @@ public class PackageManagerService extends IPackageManager.Stub
+ || ArrayUtils.isEmpty(p.getRequestedPermissions())) ? Collections.emptySet()
+ : mPermissionManager.getGrantedPermissions(ps.name, userId);
+
+- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
+- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
++ // Allow microG GmsCore and FakeStore to spoof signature
++ final boolean isMicroG = ArrayUtils.contains(MICROG_FAKE_SIGNATURE_PACKAGES,
++ p.getPackageName());
++ PackageInfo packageInfo;
++ if (isMicroG && SystemProperties.getBoolean(SPOOF_CONTROL, false)) {
++ packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
++ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
++ userId, ps), permissions);
++ } else {
++ packageInfo = PackageInfoUtils.generate(p, gids, flags,
++ ps.firstInstallTime, ps.lastUpdateTime, permissions, state,
++ userId, ps);
++ }
+
+ if (packageInfo == null) {
+ return null;
+@@ -3400,6 +3411,31 @@ public class PackageManagerService extends IPackageManager.Stub
+ }
+ }
+
++ // The setting to control spoofing enablement.
++ private static final String SPOOF_CONTROL = "persist.security.sigspoof";
++ // The Google signature faked by microG.
++ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
++ // The signing key hash of official microG builds.
++ private static final String MICROG_HASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
++ // List of packages which require signature spoofing.
++ private static final String[] MICROG_FAKE_SIGNATURE_PACKAGES = new String[] { "com.google.android.gms", "com.android.vending" };
++
++ private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi,
++ Set<String> permissions) {
++ String hash = p.getSigningDetails().getSha256Certificate();
++ try {
++ if (hash.equals(MICROG_HASH)) {
++ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
++ if (DEBUG_PACKAGE_INFO) {
++ Log.v(TAG, "Spoofing signature for microG");
++ }
++ }
++ } catch (Throwable t) {
++ Log.w("Unable to fake signature!", t);
++ }
++ return pi;
++ }
++
+ public final PackageInfo getPackageInfo(String packageName, int flags, int userId) {
+ return getPackageInfoInternal(packageName, PackageManager.VERSION_CODE_HIGHEST,
+ flags, Binder.getCallingUid(), userId);
diff --git a/Patches/LineageOS-19.1/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch b/Patches/LineageOS-19.1/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch
new file mode 100644
index 00000000..ee31e328
--- /dev/null
+++ b/Patches/LineageOS-19.1/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch
@@ -0,0 +1,172 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Wed, 20 Apr 2022 01:04:27 -0400
+Subject: [PATCH] Add a toggle to opt-in to restricted signature spoofing
+
+Copy and pasted from the GrapheneOS exec spawning toggle patch
+
+Change-Id: Ibea6ea9bed1c2ae3491f403d9e5c17c1d1c403f1
+Signed-off-by: Tad <tad@spotco.us>
+---
+ res/values/strings.xml | 3 +
+ res/xml/security_dashboard_settings.xml | 6 +
+ .../settings/security/SecuritySettings.java | 1 +
+ .../SigSpoofPreferenceController.java | 106 ++++++++++++++++++
+ 4 files changed, 116 insertions(+)
+ create mode 100644 src/com/android/settings/security/SigSpoofPreferenceController.java
+
+diff --git a/res/values/strings.xml b/res/values/strings.xml
+index 67c47bc7b3..efab810360 100644
+--- a/res/values/strings.xml
++++ b/res/values/strings.xml
+@@ -13127,6 +13127,9 @@
+ <string name="hosts_disable_title">Disable DNS content blocker</string>
+ <string name="hosts_disable_summary">Disables use of the included /etc/hosts database for data collection and malware blocking.</string>
+
++ <string name="sig_spoof_title">microG enablement (not recommended)</string>
++ <string name="sig_spoof_summary">Allows official builds of microG apps to spoof the Google signature. Not supported, not recommended. May break apps and/or degrade their security model. Notes: 1) microG connects directly to Google, 2) microG can download/execute proprietary code from Google, 3) apps talking to microG do so using proprietary Google libraries.</string>
++
+ <!-- Title for the top level Privacy Settings [CHAR LIMIT=30]-->
+ <string name="privacy_dashboard_title">Privacy</string>
+ <!-- Summary for the top level Privacy Settings [CHAR LIMIT=NONE]-->
+diff --git a/res/xml/security_dashboard_settings.xml b/res/xml/security_dashboard_settings.xml
+index 011f6e1117..f5384fa104 100644
+--- a/res/xml/security_dashboard_settings.xml
++++ b/res/xml/security_dashboard_settings.xml
+@@ -81,6 +81,12 @@
+ android:summary="@string/hosts_disable_summary"
+ android:persistent="false" />
+
++ <SwitchPreference
++ android:key="sig_spoof"
++ android:title="@string/sig_spoof_title"
++ android:summary="@string/sig_spoof_summary"
++ android:persistent="false" />
++
+ <com.android.settingslib.RestrictedPreference
+ android:key="biometric_settings"
+ android:title="@string/security_settings_biometric_preference_title"
+diff --git a/src/com/android/settings/security/SecuritySettings.java b/src/com/android/settings/security/SecuritySettings.java
+index dbb9987f0c..0ac2ace282 100644
+--- a/src/com/android/settings/security/SecuritySettings.java
++++ b/src/com/android/settings/security/SecuritySettings.java
+@@ -126,6 +126,7 @@ public class SecuritySettings extends DashboardFragment {
+ securityPreferenceControllers.add(new ExecSpawnPreferenceController(context));
+ securityPreferenceControllers.add(new NativeDebugPreferenceController(context));
+ securityPreferenceControllers.add(new HostsPreferenceController(context));
++ securityPreferenceControllers.add(new SigSpoofPreferenceController(context));
+ controllers.add(new PreferenceCategoryController(context, SECURITY_CATEGORY)
+ .setChildren(securityPreferenceControllers));
+ controllers.addAll(securityPreferenceControllers);
+diff --git a/src/com/android/settings/security/SigSpoofPreferenceController.java b/src/com/android/settings/security/SigSpoofPreferenceController.java
+new file mode 100644
+index 0000000000..258b59b0b0
+--- /dev/null
++++ b/src/com/android/settings/security/SigSpoofPreferenceController.java
+@@ -0,0 +1,106 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License
++ */
++
++package com.android.settings.security;
++
++import android.content.Context;
++
++import android.os.UserHandle;
++import android.os.UserManager;
++import android.os.SystemProperties;
++
++import android.provider.Settings;
++
++import androidx.preference.Preference;
++import androidx.preference.PreferenceCategory;
++import androidx.preference.PreferenceGroup;
++import androidx.preference.PreferenceScreen;
++import androidx.preference.TwoStatePreference;
++import androidx.preference.SwitchPreference;
++
++import com.android.internal.widget.LockPatternUtils;
++import com.android.settings.core.PreferenceControllerMixin;
++import com.android.settingslib.core.AbstractPreferenceController;
++import com.android.settingslib.core.lifecycle.events.OnResume;
++
++public class SigSpoofPreferenceController extends AbstractPreferenceController
++ implements PreferenceControllerMixin, OnResume, Preference.OnPreferenceChangeListener {
++
++ private static final String SYS_KEY_SIG_SPOOF_ENABLE = "persist.security.sigspoof";
++ private static final String PREF_KEY_SIG_SPOOF_ENABLE = "sig_spoof";
++ private static final String PREF_KEY_SECURITY_CATEGORY = "security_category";
++
++ private PreferenceCategory mSecurityCategory;
++ private SwitchPreference mSigSpoofEnable;
++ private boolean mIsAdmin;
++ private UserManager mUm;
++
++ public SigSpoofPreferenceController(Context context) {
++ super(context);
++ mUm = UserManager.get(context);
++ }
++
++ @Override
++ public void displayPreference(PreferenceScreen screen) {
++ super.displayPreference(screen);
++ mSecurityCategory = screen.findPreference(PREF_KEY_SECURITY_CATEGORY);
++ updatePreferenceState();
++ }
++
++ @Override
++ public boolean isAvailable() {
++ mIsAdmin = mUm.isAdminUser();
++ return mIsAdmin;
++ }
++
++ @Override
++ public String getPreferenceKey() {
++ return PREF_KEY_SIG_SPOOF_ENABLE;
++ }
++
++ // TODO: should we use onCreatePreferences() instead?
++ private void updatePreferenceState() {
++ if (mSecurityCategory == null) {
++ return;
++ }
++
++ if (mIsAdmin) {
++ mSigSpoofEnable = (SwitchPreference) mSecurityCategory.findPreference(PREF_KEY_SIG_SPOOF_ENABLE);
++ mSigSpoofEnable.setChecked(SystemProperties.getInt(SYS_KEY_SIG_SPOOF_ENABLE, 0) == 1);
++ } else {
++ mSecurityCategory.removePreference(mSecurityCategory.findPreference(PREF_KEY_SIG_SPOOF_ENABLE));
++ }
++ }
++
++ @Override
++ public void onResume() {
++ updatePreferenceState();
++ if (mSigSpoofEnable != null) {
++ boolean mode = mSigSpoofEnable.isChecked();
++ SystemProperties.set(SYS_KEY_SIG_SPOOF_ENABLE, mode ? "1" : "0");
++ }
++ }
++
++ @Override
++ public boolean onPreferenceChange(Preference preference, Object value) {
++ final String key = preference.getKey();
++ if (PREF_KEY_SIG_SPOOF_ENABLE.equals(key)) {
++ final boolean mode = !mSigSpoofEnable.isChecked();
++ SystemProperties.set(SYS_KEY_SIG_SPOOF_ENABLE, mode ? "1" : "0");
++ }
++ return true;
++ }
++}
diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0036-Hardened-signature-spoofing.patch b/Patches/LineageOS-20.0/android_frameworks_base/0036-Hardened-signature-spoofing.patch
index 577beef5..a780fdf6 100644
--- a/Patches/LineageOS-20.0/android_frameworks_base/0036-Hardened-signature-spoofing.patch
+++ b/Patches/LineageOS-20.0/android_frameworks_base/0036-Hardened-signature-spoofing.patch
@@ -85,8 +85,8 @@ index a01ec67630de..0b9ab8c1166c 100644
<string-array name="config_locationProviderPackageNames" translatable="false">
<!-- The standard AOSP fused location provider -->
<item>com.android.location.fused</item>
-+ <!-- The (faked) microg fused location provider (a free reimplementation) -->
-+ <item>com.google.android.gms</item>
++ <!-- The (faked) microg fused location provider (a free reimplementation)
++ <item>com.google.android.gms</item> -->
</string-array>
<!-- Package name(s) of Advanced Driver Assistance applications. These packages have additional
diff --git a/Patches/LineageOS-20.0/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch b/Patches/LineageOS-20.0/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch
index b28d62ee..af8ef18f 100644
--- a/Patches/LineageOS-20.0/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch
+++ b/Patches/LineageOS-20.0/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch
@@ -23,7 +23,7 @@ index 6e619cc2c4..0677bede10 100644
<string name="hosts_disable_title">Disable DNS content blocker</string>
<string name="hosts_disable_summary">Disables use of the included /etc/hosts database for data collection and malware blocking.</string>
-+ <string name="sig_spoof_title">Allow microG</string>
++ <string name="sig_spoof_title">microG enablement (not recommended)</string>
+ <string name="sig_spoof_summary">Allows official builds of microG apps to spoof the Google signature. Not supported, not recommended. May break apps and/or degrade their security model. Notes: 1) microG connects directly to Google, 2) microG can download/execute proprietary code from Google, 3) apps talking to microG do so using proprietary Google libraries.</string>
+
<!-- Text shown for the title of the lock when trust lost option [CHAR LIMIT=40] -->
diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh
index 3638d02a..e948da72 100644
--- a/Scripts/LineageOS-17.1/Patch.sh
+++ b/Scripts/LineageOS-17.1/Patch.sh
@@ -177,6 +177,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0017-WiFi_Timeout.patch"; #Time
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0018-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0019-Random_MAC.patch"; #Add option of always randomizing MAC addresses (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0020-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
+if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0021-Hardened-signature-spoofing.patch"; fi; #Hardened signature spoofing ability (DivestOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly (DivestOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
@@ -321,6 +322,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0010-Random_MAC-2.patch"
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0011-LTE_Only_Mode.patch"; #Add LTE-only option (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (heavily based off of a GrapheneOS patch)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-SUPL_Toggle.patch"; #Add a toggle for forcibly disabling SUPL (GrapheneOS)
+if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-signature_spoofing_toggle.patch"; fi; #Add a toggle to opt-in to restricted signature spoofing (heavily based off of a GrapheneOS patch)
sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 64;/' src/com/android/settings/password/ChooseLockPassword.java; #Increase default max password length to 64 (GrapheneOS)
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
fi;
diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh
index 9f69ea96..6638c731 100644
--- a/Scripts/LineageOS-18.1/Patch.sh
+++ b/Scripts/LineageOS-18.1/Patch.sh
@@ -165,6 +165,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0020-Burnin_Protection.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0021-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0022-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0023-System_JobScheduler_Allowance.patch"; #DeviceIdleJobsController: don't ignore whitelisted system apps (GrapheneOS)
+if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0024-Hardened-signature-spoofing.patch"; fi; #Hardened signature spoofing ability (DivestOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0006-Do-not-throw-in-setAppOnInterfaceLocked.patch"; #Fix random reboots on broken kernels when an app has data restricted XXX: ugly (DivestOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
@@ -328,6 +329,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-LTE_Only_Mode-1.pat
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-LTE_Only_Mode-2.patch"; #Show preferred network options no matter the carrier configuration (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-LTE_Only_Mode-3.patch"; #Add LTE only entry when carrier enables world mode (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-SUPL_Toggle.patch"; #Add a toggle for forcibly disabling SUPL (GrapheneOS)
+if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0015-signature_spoofing_toggle.patch"; fi; #Add a toggle to opt-in to restricted signature spoofing (heavily based off of a GrapheneOS patch)
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
fi;
diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh
index ed51327a..eb80c25a 100644
--- a/Scripts/LineageOS-19.1/Patch.sh
+++ b/Scripts/LineageOS-19.1/Patch.sh
@@ -175,6 +175,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/0027-appops_reset_fix-2.patch";
applyPatch "$DOS_PATCHES/android_frameworks_base/0028-SUPL_Toggle.patch"; #Add a setting for forcibly disabling SUPL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0029-Allow_Disabling_NTP.patch"; #Dont ping ntp server when nitz time update is toggled off (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0030-System_JobScheduler_Allowance.patch"; #DeviceIdleJobsController: don't ignore whitelisted system apps (GrapheneOS)
+if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_base/0031-Hardened-signature-spoofing.patch"; fi; #Hardened signature spoofing ability (DivestOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0007-ABI_Warning.patch"; #Warn when running activity from 32 bit app on ARM64 devices. (AOSP)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0008-No_Crash_GSF.patch"; #Don't crash apps that depend on missing Gservices provider (GrapheneOS)
hardenLocationConf services/core/java/com/android/server/location/gnss/gps_debug.conf; #Harden the default GPS config
@@ -304,6 +305,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0012-hosts_toggle.patch"
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0013-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0014-LTE_Only_Mode.patch"; #Add LTE only setting (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0015-SUPL_Toggle.patch"; #Add a toggle for forcibly disabling SUPL (GrapheneOS)
+if [ "$DOS_MICROG_SUPPORT" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0016-signature_spoofing_toggle.patch"; fi; #Add a toggle to opt-in to restricted signature spoofing (heavily based off of a GrapheneOS patch)
sed -i 's/if (isFullDiskEncrypted()) {/if (false) {/' src/com/android/settings/accessibility/*AccessibilityService*.java; #Never disable secure start-up when enabling an accessibility service
fi;