I have an unlocked but not rooted Android device (Nexus 7 2013 WiFi "flo", legitimately unlocked using fastboot oem unlock from an x86 computer). Neither adb root nor adb shell followed by su let me gain root or write to /system/xbin/su. Installing F-Droid's Superuser app didn't help to gain an initial root (see https://f-droid.org/wiki/page/org.fdroid.superuser ).
fastboot works to affect the device, so I should be able to get root by flashing a recovery-boot image that lets me modify the system. That's my goal. But ClockworkMod's recovery images are hosted on download2.clockworkmod.com and TWRP's on techerrata.com and neither has a valid TLS certificate, nor is PGP-signed, nor even has a SHA hash shown anywhere. I want to prevent any MITM from getting root access to my tablet.
There's a ROM Manager app on Google Play to install these images using a GUI, but I haven't found any evidence it does anything different than downloading those same recovery images over unauthenticated HTTP. If ROM Manager were in the F-Droid app store that'd be a modest sign of trustworthiness, but it isn't.
Maybe the source code is better? ClockworkMod and TWRP are apparently open-source and on GitHub, which has tolerable security if they're using it right. The build process apparently involves AOSP (Android Open Source Project), thus 8-30 GB of disk, 16 GB RAM/swap(?!) and a lot of steps (see http://source.android.com/source/building.html). According to Replicant developers I chatted with on IRC, those "sources" themselves contain many binaries (cross-compiling toolchains and other) without systematic documentation and it takes days of human effort to actually build everything from source (unless you've already done it a lot). In some cases builds only work on Ubuntu (apparently?). The SDK only works as 32-bit x86 because it would be buggy if built for x86_64 (never mind other arches like ARM). So, clearly I can't expect too much from either upstream (Google) or modders.
I think the least risky thing might be to build AOSP recovery (fewer non-security-conscious middlemen than the modded versions), from "source", downloaded via HTTPS, in a fresh VM. Except: unmodified AOSP recovery images don't grant root, and I haven't yet found out if there's a simple way to modify the source so that they would.
Any clear instructions for even one way to get root on my device without trusting unauthenticated downloads that any MITM can modify would be lovely.
Replacing the OS with AOSP or CyanogenMod is fine if necessary and trustworthy, but as far as I can tell, I can't do that without first flashing a recovery image and/or getting root on the stock Google Android. Chicken and egg problem.
(Posting this on security.SE rather than android.SE because y'all will understand what I want security-wise and why I might want it. The hundreds of web pages by Android modders that I've found don't discuss my concerns at all.)