diff --git a/apks/chromium/default.nix b/apks/chromium/default.nix
index e8228430..a47f903e 100644
--- a/apks/chromium/default.nix
+++ b/apks/chromium/default.nix
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: MIT
 
 { pkgs, callPackage, stdenv, stdenvNoCC, lib, fetchgit, fetchurl, fetchcipd, runCommand, symlinkJoin, writeScript, buildFHSUserEnv, autoPatchelfHook, buildPackages
-, python2, python3, ninja, llvmPackages_11, nodejs, jre8, bison, gperf, pkg-config, protobuf, bsdiff
+, python2, python310, ninja, llvmPackages_11, nodejs, jre8, bison, gperf, pkg-config, protobuf, bsdiff
 , dbus, systemd, glibc, at-spi2-atk, atk, at-spi2-core, nspr, nss, pciutils, util-linux, libkrb5, gdk-pixbuf
 , glib, gtk3, alsa-lib, pulseaudio, xdg-utils, libXScrnSaver, libXcursor, libXtst, libXdamage
 , libdrm, libxkbcommon
@@ -143,6 +143,8 @@ let
     '';
   };
 
+  python3 = python310;
+
 in stdenvNoCC.mkDerivation rec {
   pname = name;
   inherit version src;
diff --git a/modules/apps/chromium.nix b/modules/apps/chromium.nix
index 27faedde..a4a66386 100644
--- a/modules/apps/chromium.nix
+++ b/modules/apps/chromium.nix
@@ -19,6 +19,7 @@ let
       version = "O9eXFyC5ZkcYvDfHRLKPO1g1Xwf7M33wT3cuJtyfc0sC";
       sha256 = "0bv8qx7snyyndk5879xjbj3ncsb5yxcgp8w0wwfrif3m22d1fn84";
     };
+    buildInputs = [ pkgs.libgcc ];
     nativeBuildInputs = [ pkgs.autoPatchelfHook ];
     installPhase = "mkdir -p $out/bin && cp aapt2 $out/bin/";
   } + "/bin/aapt2";
diff --git a/modules/apps/fdroid.nix b/modules/apps/fdroid.nix
index 7c2d9215..33bb8ced 100644
--- a/modules/apps/fdroid.nix
+++ b/modules/apps/fdroid.nix
@@ -76,8 +76,8 @@ in
   config = mkIf cfg.enable {
     apps.prebuilt."F-Droid" = {
       apk = pkgs.fetchurl {
-        url = "https://f-droid.org/repo/org.fdroid.fdroid_1017050.apk";
-        sha256 = "sha256-3Du4j2QZ7n3efRVHpBVpqgMoL+AODcQ84DXv18nSfXU=";
+        url = "https://f-droid.org/repo/org.fdroid.fdroid_1019051.apk";
+        sha256 = "sha256-FiyxS5O9m2Zf/0JWtPyRz+dftyM1oCsdD+vmBiILUPQ=";
       };
 
       fingerprint = mkIf (!config.signing.enable) "7352DAE94B237866E7FB44FD94ADE44E8B6E05397E7D1FB45616A00E225063FF";
diff --git a/modules/release.nix b/modules/release.nix
index e570d752..4c14b5f5 100644
--- a/modules/release.nix
+++ b/modules/release.nix
@@ -12,7 +12,7 @@ let
     jre = if (config.androidVersion >= 11) then pkgs.jdk11_headless else pkgs.jre8_headless;
     deps = with pkgs;
       [ otaTools openssl jre zip unzip pkgs.getopt which toybox vboot_reference util-linux
-        python # ota_from_target_files invokes, brillo_update_payload which has "truncate_file" which invokes python
+        python3 # ota_from_target_files invokes, brillo_update_payload which has "truncate_file" which invokes python
       ];
   in ''
     export PATH=${lib.makeBinPath deps}:$PATH
diff --git a/modules/signing.nix b/modules/signing.nix
index 150a7bbc..f5ea4a67 100644
--- a/modules/signing.nix
+++ b/modules/signing.nix
@@ -17,6 +17,9 @@ let
                     ++ (lib.optionals (config.androidVersion >= 10) [ "${config.device}/networkstack" ])
                     ++ (lib.optionals (config.androidVersion >= 11) [ "com.android.hotspot2.osulogin" "com.android.wifi.resources" ])
                     ++ (lib.optionals (config.androidVersion >= 12) [ "com.android.connectivity.resources" ])
+                    ++ (lib.optionals (config.androidVersion >= 13) [ "com.android.adservices.api" "com.android.safetycenter.resources"
+                                                                      "com.android.nearby.halfsheet" "com.android.uwb.resources"
+                                                                      "com.android.wifi.dialog"])
                     ++ (lib.optional config.signing.apex.enable config.signing.apex.packageNames)
                     ++ (lib.mapAttrsToList
                         (name: prebuilt: prebuilt.certificate)
@@ -182,6 +185,13 @@ in
         "packages/modules/Wifi/service/ServiceWifiResources/resources-certs/com.android.wifi.resources" = "com.android.wifi.resources";
         "packages/modules/Connectivity/service/ServiceConnectivityResources/resources-certs/com.android.connectivity.resources" = "com.android.connectivity.resources";
       }
+      // lib.optionalAttrs (config.androidVersion >= 13) {
+        "packages/modules/AdServices/adservices/apk/com.android.adservices.api" = "com.android.adservices.api";
+        "packages/modules/Permission/SafetyCenter/Resources/com.android.safetycenter.resources" = "com.android.safetycenter.resources";
+        "packages/modules/Connectivity/nearby/halfsheet/apk-certs/com.android.nearby.halfsheet" = "com.android.nearby.halfsheet";
+        "packages/modules/Uwb/service/ServiceUwbResources/resources-certs/com.android.uwb.resources" = "com.android.uwb.resources";
+        "packages/modules/Wifi/WifiDialog/certs/com.android.wifi.dialog" = "com.android.wifi.dialog";
+      }
       # App-specific keys
       // lib.mapAttrs'
         (name: prebuilt: lib.nameValuePair "robotnix/prebuilt/${prebuilt.name}/${prebuilt.certificate}" prebuilt.certificate)
@@ -209,7 +219,7 @@ in
           ${config.source.dirs."system/extras".src}/verity/generate_verity_key.c \
           ${config.source.dirs."system/core".src}/libcrypto_utils/android_pubkey.c${lib.optionalString (config.androidVersion >= 12) "pp"} \
           -I ${config.source.dirs."system/core".src}/libcrypto_utils/include/ \
-          -I ${pkgs.boringssl}/include ${pkgs.boringssl}/lib/libssl.a ${pkgs.boringssl}/lib/libcrypto.a -lpthread
+          -I ${pkgs.boringssl.dev}/include ${pkgs.boringssl}/lib/libssl.a ${pkgs.boringssl}/lib/libcrypto.a -lpthread
 
         cp ${config.source.dirs."external/avb".src}/avbtool $out/bin/avbtool
 
diff --git a/pkgs/fetchgit/builder.sh b/pkgs/fetchgit/builder.sh
deleted file mode 100644
index 0047a335..00000000
--- a/pkgs/fetchgit/builder.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-# tested so far with:
-# - no revision specified and remote has a HEAD which is used
-# - revision specified and remote has a HEAD
-# - revision specified and remote without HEAD
-source $stdenv/setup
-
-header "exporting $url (rev $rev) into $out"
-
-$SHELL $fetcher --builder --url "$url" --out "$out" --rev "$rev" \
-  ${leaveDotGit:+--leave-dotGit} \
-  ${fetchLFS:+--fetch-lfs} \
-  ${deepClone:+--deepClone} \
-  ${fetchSubmodules:+--fetch-submodules} \
-  ${branchName:+--branch-name "$branchName"}
-
-runHook postFetch
-stopNest
diff --git a/pkgs/fetchgit/default.nix b/pkgs/fetchgit/default.nix
deleted file mode 100644
index bccfbb25..00000000
--- a/pkgs/fetchgit/default.nix
+++ /dev/null
@@ -1,94 +0,0 @@
-{lib, stdenvNoCC, git, git-lfs, cacert}: let
-  urlToName = url: rev: let
-    inherit (lib) removeSuffix splitString last;
-    base = last (splitString ":" (baseNameOf (removeSuffix "/" url)));
-
-    matched = builtins.match "(.*)\\.git" base;
-
-    short = builtins.substring 0 7 rev;
-
-    appendShort = if (builtins.match "[a-f0-9]*" rev) != null
-      then "-${short}"
-      else "";
-  in "${if matched == null then base else builtins.head matched}${appendShort}";
-in
-{ url, rev ? "HEAD", md5 ? "", sha256 ? "", hash ? "", leaveDotGit ? deepClone
-, fetchSubmodules ? true, deepClone ? false
-, branchName ? null
-, name ? urlToName url rev
-, # Shell code executed after the file has been fetched
-  # successfully. This can do things like check or transform the file.
-  postFetch ? ""
-, preferLocalBuild ? true
-, fetchLFS ? false
-, # Shell code to build a netrc file for BASIC auth
-  netrcPhase ? null
-, # Impure env vars (https://nixos.org/nix/manual/#sec-advanced-attributes)
-  # needed for netrcPhase
-  netrcImpureEnvVars ? []
-}:
-
-/* NOTE:
-   fetchgit has one problem: git fetch only works for refs.
-   This is because fetching arbitrary (maybe dangling) commits may be a security risk
-   and checking whether a commit belongs to a ref is expensive. This may
-   change in the future when some caching is added to git (?)
-   Usually refs are either tags (refs/tags/*) or branches (refs/heads/*)
-   Cloning branches will make the hash check fail when there is an update.
-   But not all patches we want can be accessed by tags.
-
-   The workaround is getting the last n commits so that it's likely that they
-   still contain the hash we want.
-
-   for now : increase depth iteratively (TODO)
-
-   real fix: ask git folks to add a
-   git fetch $HASH contained in $BRANCH
-   facility because checking that $HASH is contained in $BRANCH is less
-   expensive than fetching --depth $N.
-   Even if git folks implemented this feature soon it may take years until
-   server admins start using the new version?
-*/
-
-assert deepClone -> leaveDotGit;
-
-if md5 != "" then
-  throw "fetchgit does not support md5 anymore, please use sha256"
-else if hash != "" && sha256 != "" then
-  throw "Only one of sha256 or hash can be set"
-else
-stdenvNoCC.mkDerivation {
-  inherit name;
-  builder = ./builder.sh;
-  fetcher = ./nix-prefetch-git;  # This must be a string to ensure it's called with bash.
-
-  nativeBuildInputs = [ git ]
-    ++ lib.optionals fetchLFS [ git-lfs ];
-
-  outputHashAlgo = if hash != "" then null else "sha256";
-  outputHashMode = "recursive";
-  outputHash = if hash != "" then
-    hash
-  else if sha256 != "" then
-    sha256
-  else
-    lib.fakeSha256;
-
-  inherit url rev leaveDotGit fetchLFS fetchSubmodules deepClone branchName postFetch;
-
-  postHook = if netrcPhase == null then null else ''
-    ${netrcPhase}
-    # required that git uses the netrc file
-    mv {,.}netrc
-    export HOME=$PWD
-  '';
-
-  GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
-
-  impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [
-    "GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER"
-    "ROBOTNIX_GIT_MIRRORS"
-  ];
-
-  inherit preferLocalBuild;
-}