├── .gitattributes ├── .gitignore ├── META-INF └── com │ └── google │ └── android │ ├── update-binary │ └── updater-script ├── README.md ├── common ├── post-fs-data.sh ├── service.sh └── system.prop ├── install.sh ├── module.prop └── system └── etc └── security └── cacerts └── placeholder /.gitattributes: -------------------------------------------------------------------------------- 1 | # Declare files that will always have LF line endings on checkout. 2 | META-INF/** text eol=lf 3 | *.prop text eol=lf 4 | *.sh text eol=lf 5 | *.md text eol=lf 6 | 7 | # Denote all files that are truly binary and should not be modified. 8 | system/** binary 9 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | gitgo.sh 2 | -------------------------------------------------------------------------------- /META-INF/com/google/android/update-binary: -------------------------------------------------------------------------------- 1 | #!/sbin/sh 2 | 3 | ################# 4 | # Initialization 5 | ################# 6 | 7 | umask 022 8 | 9 | # echo before loading util_functions 10 | ui_print() { echo "$1"; } 11 | 12 | require_new_magisk() { 13 | ui_print "*******************************" 14 | ui_print " Please install Magisk v20.4+! " 15 | ui_print "*******************************" 16 | exit 1 17 | } 18 | 19 | ######################### 20 | # Load util_functions.sh 21 | ######################### 22 | 23 | OUTFD=$2 24 | ZIPFILE=$3 25 | 26 | mount /data 2>/dev/null 27 | 28 | [ -f /data/adb/magisk/util_functions.sh ] || require_new_magisk 29 | . /data/adb/magisk/util_functions.sh 30 | [ $MAGISK_VER_CODE -lt 20400 ] && require_new_magisk 31 | 32 | install_module 33 | exit 0 34 | -------------------------------------------------------------------------------- /META-INF/com/google/android/updater-script: -------------------------------------------------------------------------------- 1 | #MAGISK 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # **Copy Certificates** 2 | ## Description 3 | Copies certificates from the user certificate store into the system store. Also removes the *Network may be monitored* warning. 4 | 5 | Note that this is a significant change from the historical use of this module. By copying, instead of moving, the Certificate Transparency problem for proxying Google Chrome has been solved. See notes and links in the changelog below for more details on this. 6 | 7 | ## Changelog 8 | v2.0.2 9 | * support Android 14 10 | 11 | v2.0.1 12 | * Updated install messages 13 | * Fixed the release binary. I'd previously accidentally included the entire .git repository in the installer zip. Whoopsie. Down to 8KB when I had it at 80KB before. 14 | 15 | v2.0 16 | * Changed behavior to copy instead of moving the certificate. 17 | * The certificate ends up in two locations, one in the User store and one in the System store. This addresses the Chrome Certificate Transparency problem discussed [here](https://github.com/Magisk-Modules-Repo/movecert/issues/15) and [here](https://github.com/AdguardTeam/AdguardForAndroid/issues/4124#issuecomment-1066078974). Note that enabling Zygisk and adding Chrome to the DenyList is required for this to work. 18 | * Fixed install issue in Magisk, where this module would not install correctly. Credit to [azio7](https://github.com/Magisk-Modules-Repo/movecert/pull/14). 19 | 20 | v1.9 21 | * Dynamically determine correct SELinux context for cert from device itself. 22 | * AdGuard users may need to reinstall their HTTPS filtering certificate. 23 | 24 | v1.8 25 | * Merged pull request: Fix SELinux contexts 26 | 27 | v1.7 28 | 29 | * Merged pull request: Prevent placeholder from being moved to system store 30 | * Merged pull request: System store certs should be owned by user and group root 31 | 32 | v1.6 33 | 34 | * Updated to newest module installer template 35 | 36 | v1.5 37 | 38 | * Updated module template to 17000 39 | 40 | v1.4 41 | 42 | * Remove unnecessary placeholders 43 | 44 | v1.3 45 | 46 | * Create system store module directory instead of mkdir command 47 | 48 | v1.2 49 | 50 | * Create system store directory if it does not already exist 51 | 52 | v1.1 53 | 54 | * Added more info to README 55 | 56 | v1 57 | 58 | * Initial release 59 | 60 | ## Notes 61 | If for some reason you do not want all your certificates moved from the user store to the system store, you can specify which certificate to move in `/common/post-fs-data.sh` by replacing the * with the name of the certificate; i.e., 62 | ``` 63 | mv -f /data/misc/user/0/cacerts-added/12abc345.0 $MODDIR/system/etc/security/cacerts 64 | ``` 65 | 66 | 67 | -------------------------------------------------------------------------------- /common/post-fs-data.sh: -------------------------------------------------------------------------------- 1 | #!/system/bin/sh 2 | # Do NOT assume where your module will be located. 3 | # ALWAYS use $MODDIR if you need to know where this script 4 | # and module is placed. 5 | # This will make sure your module will still work 6 | # if Magisk change its mount point in the future 7 | MODDIR=${0%/*} 8 | 9 | # This script will be executed in post-fs-data mode 10 | 11 | # If you for some reason do not want all your certificates moved from the user store to the system store, you can specify which certificates to move by replacing the * with the name of the certificate; i.e., 12 | 13 | # mv -f /data/misc/user/0/cacerts-added/12abc345.0 $MODDIR/system/etc/security/cacerts 14 | 15 | cp -f /data/misc/user/0/cacerts-added/* $MODDIR/system/etc/security/cacerts 16 | 17 | [ "$(getenforce)" = "Enforcing" ] || exit 0 18 | A14CA_PATH=/apex/com.android.conscrypt/cacerts 19 | if [ -d "$A14CA_PATH" ]; then 20 | #Support Android 14, Thanks https://weibo.com/3322982490/Ni21tFiR9 21 | CA_TMP_DIR=/data/local/tmp/cacerts 22 | rm -rf "$CA_TMP_DIR" 23 | mkdir -p -m 700 "$CA_TMP_DIR" 24 | mount -t tmpfs tmpfs "$CA_TMP_DIR" 25 | 26 | cp -f $A14CA_PATH/* $CA_TMP_DIR 27 | cp -f $MODDIR/system/etc/security/cacerts/* $CA_TMP_DIR 28 | 29 | chown -R 0:0 "$CA_TMP_DIR" 30 | set_context "$A14CA_PATH" "$CA_TMP_DIR" 31 | CNUM="$(ls -1 $CA_TMP_DIR | wc -l)" 32 | if [ "$CNUM" -gt 10 ]; then 33 | mount -o bind "$CA_TMP_DIR" $A14CA_PATH 34 | fi 35 | umount "$TEMCA_TMP_DIRP_CA_TMP_DIRDIR" 36 | rmdir "$CA_TMP_DIR" 37 | rm -rf "$CA_TMP_DIR" 38 | else 39 | chown -R 0:0 $MODDIR/system/etc/security/cacerts 40 | default_selinux_context=u:object_r:system_file:s0 41 | selinux_context=$(ls -Zd /system/etc/security/cacerts | awk '{print $1}') 42 | if [ -n "$selinux_context" ] && [ "$selinux_context" != "?" ]; then 43 | chcon -R $selinux_context $MODDIR/system/etc/security/cacerts 44 | else 45 | chcon -R $default_selinux_context $MODDIR/system/etc/security/cacerts 46 | fi 47 | fi 48 | 49 | -------------------------------------------------------------------------------- /common/service.sh: -------------------------------------------------------------------------------- 1 | #!/system/bin/sh 2 | # Do NOT assume where your module will be located. 3 | # ALWAYS use $MODDIR if you need to know where this script 4 | # and module is placed. 5 | # This will make sure your module will still work 6 | # if Magisk change its mount point in the future 7 | MODDIR=${0%/*} 8 | 9 | # This script will be executed in late_start service mode 10 | -------------------------------------------------------------------------------- /common/system.prop: -------------------------------------------------------------------------------- 1 | # This file will be read by resetprop 2 | # Example: Change dpi 3 | # ro.sf.lcd_density=320 4 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | ########################################################################################## 2 | # 3 | # Magisk Module Installer Script 4 | # 5 | ########################################################################################## 6 | ########################################################################################## 7 | # 8 | # Instructions: 9 | # 10 | # 1. Place your files into system folder (delete the placeholder file) 11 | # 2. Fill in your module's info into module.prop 12 | # 3. Configure and implement callbacks in this file 13 | # 4. If you need boot scripts, add them into common/post-fs-data.sh or common/service.sh 14 | # 5. Add your additional or modified system properties into common/system.prop 15 | # 16 | ########################################################################################## 17 | 18 | ########################################################################################## 19 | # Config Flags 20 | ########################################################################################## 21 | 22 | # Set to true if you do *NOT* want Magisk to mount 23 | # any files for you. Most modules would NOT want 24 | # to set this flag to true 25 | SKIPMOUNT=false 26 | 27 | # Set to true if you need to load system.prop 28 | PROPFILE=false 29 | 30 | # Set to true if you need post-fs-data script 31 | POSTFSDATA=true 32 | 33 | # Set to true if you need late_start service script 34 | LATESTARTSERVICE=false 35 | 36 | ########################################################################################## 37 | # Replace list 38 | ########################################################################################## 39 | 40 | # List all directories you want to directly replace in the system 41 | # Check the documentations for more info why you would need this 42 | 43 | # Construct your list in the following format 44 | # This is an example 45 | REPLACE_EXAMPLE=" 46 | /system/app/Youtube 47 | /system/priv-app/SystemUI 48 | /system/priv-app/Settings 49 | /system/framework 50 | " 51 | 52 | # Construct your own list here 53 | REPLACE=" 54 | " 55 | 56 | ########################################################################################## 57 | # 58 | # Function Callbacks 59 | # 60 | # The following functions will be called by the installation framework. 61 | # You do not have the ability to modify update-binary, the only way you can customize 62 | # installation is through implementing these functions. 63 | # 64 | # When running your callbacks, the installation framework will make sure the Magisk 65 | # internal busybox path is *PREPENDED* to PATH, so all common commands shall exist. 66 | # Also, it will make sure /data, /system, and /vendor is properly mounted. 67 | # 68 | ########################################################################################## 69 | ########################################################################################## 70 | # 71 | # The installation framework will export some variables and functions. 72 | # You should use these variables and functions for installation. 73 | # 74 | # ! DO NOT use any Magisk internal paths as those are NOT public API. 75 | # ! DO NOT use other functions in util_functions.sh as they are NOT public API. 76 | # ! Non public APIs are not guranteed to maintain compatibility between releases. 77 | # 78 | # Available variables: 79 | # 80 | # MAGISK_VER (string): the version string of current installed Magisk 81 | # MAGISK_VER_CODE (int): the version code of current installed Magisk 82 | # BOOTMODE (bool): true if the module is currently installing in Magisk Manager 83 | # MODPATH (path): the path where your module files should be installed 84 | # TMPDIR (path): a place where you can temporarily store files 85 | # ZIPFILE (path): your module's installation zip 86 | # ARCH (string): the architecture of the device. Value is either arm, arm64, x86, or x64 87 | # IS64BIT (bool): true if $ARCH is either arm64 or x64 88 | # API (int): the API level (Android version) of the device 89 | # 90 | # Availible functions: 91 | # 92 | # ui_print 93 | # print to console 94 | # Avoid using 'echo' as it will not display in custom recovery's console 95 | # 96 | # abort 97 | # print error message to console and terminate installation 98 | # Avoid using 'exit' as it will skip the termination cleanup steps 99 | # 100 | # set_perm [context] 101 | # if [context] is empty, it will default to "u:object_r:system_file:s0" 102 | # this function is a shorthand for the following commands 103 | # chown owner.group target 104 | # chmod permission target 105 | # chcon context target 106 | # 107 | # set_perm_recursive [context] 108 | # if [context] is empty, it will default to "u:object_r:system_file:s0" 109 | # for all files in , it will call: 110 | # set_perm file owner group filepermission context 111 | # for all directories in (including itself), it will call: 112 | # set_perm dir owner group dirpermission context 113 | # 114 | ########################################################################################## 115 | ########################################################################################## 116 | # If you need boot scripts, DO NOT use general boot scripts (post-fs-data.d/service.d) 117 | # ONLY use module scripts as it respects the module status (remove/disable) and is 118 | # guaranteed to maintain the same behavior in future Magisk releases. 119 | # Enable boot scripts by setting the flags in the config section above. 120 | ########################################################################################## 121 | 122 | # Set what you want to display when installing your module 123 | 124 | print_modname() { 125 | ui_print "****************************************************" 126 | ui_print " Move Certificates " 127 | ui_print " by yochananmarqos (edited by Andy Acer) @XDA " 128 | ui_print "****************************************************" 129 | } 130 | 131 | # Copy/extract your module files into $MODPATH in on_install. 132 | 133 | on_install() { 134 | # The following is the default implementation: extract $ZIPFILE/system to $MODPATH 135 | # Extend/change the logic to whatever you want 136 | ui_print "- Extracting module files" 137 | unzip -o "$ZIPFILE" 'system/*' -d $MODPATH >&2 138 | 139 | rm $MODPATH/system/etc/security/cacerts/placeholder 140 | } 141 | 142 | # Only some special files require specific permissions 143 | # This function will be called after on_install is done 144 | # The default permissions should be good enough for most cases 145 | 146 | set_permissions() { 147 | # The following is the default rule, DO NOT remove 148 | set_perm_recursive $MODPATH 0 0 0755 0644 149 | 150 | # Here are some examples: 151 | # set_perm_recursive $MODPATH/system/lib 0 0 0755 0644 152 | # set_perm $MODPATH/system/bin/app_process32 0 2000 0755 u:object_r:zygote_exec:s0 153 | # set_perm $MODPATH/system/bin/dex2oat 0 2000 0755 u:object_r:dex2oat_exec:s0 154 | # set_perm $MODPATH/system/lib/libart.so 0 0 0644 155 | } 156 | 157 | # You can add more functions to assist your custom script code 158 | -------------------------------------------------------------------------------- /module.prop: -------------------------------------------------------------------------------- 1 | id=movecert 2 | name=Move Certificates 3 | version=v2.0.2 4 | versionCode=1 5 | author=yochananmarqos (edited by Andy Ace And zhaoboy9692) 6 | description=Copies certificates from the user certificate store into the system store. Removes the *Network may be monitored* warning. 7 | -------------------------------------------------------------------------------- /system/etc/security/cacerts/placeholder: -------------------------------------------------------------------------------- 1 | This file will be deleted in Magisk Manager, it is only a placeholder for git 2 | --------------------------------------------------------------------------------