[commoner]

LineageOS in particular does not support relocking the bootloader after flashing, so it needs root access and this workaround to pass SafetyNet. The SafetyNet check fails if it detects an unlocked bootloader, unless the bootloader lock status is spoofed. (The other Android-based operating systems that do allow users to relock the bootloader don't support nearly as many devices as LineageOS does.)

[josephcsible]

> The other Android-based operating systems that do allow users to relock the bootloader

If you relock the bootloader with a third-party OS, won't you still fail SafetyNet since the signing key won't be the one that Google blessed for that phone?

[commoner]

Yes, you're right. To pass SafetyNet, not only does the bootloader need to present itself as locked (either through relocking or spoofing), the device fingerprint must also present itself as a Google-certified fingerprint (through spoofing).[1]

I know that CalyxOS spoofs the device signature to pass SafetyNet by default,[2] though it does not spoof the bootloader lock status. (It does support relocking, but only if the device is not rooted.) For LineageOS and all other Android-based OSes that I'm aware of, MagiskHide Props Config is the easiest way to spoof both the device signature and the bootloader lock status to pass SafetyNet.

[1] https://github.com/cnrd/MagiskHide-Props-Config#spoofing-dev...

[2] https://calyxos.org/news/2022/05/07/location-safetynet-fix/