Its a very difficult procedure and is tailored on a device per device basis my crosshatch wont work for your sunfish. However I can give you a brief idea of what you need to do
Ill adapt slightly from my process and the build docs. To generate keys for sunfish you should follow a similar process:
mkdir -p keys/codename
cd keys/crosshatch
../../development/tools/make_key releasekey '/CN=LineageOS/'
../../development/tools/make_key platform '/CN=LineageOS/'
../../development/tools/make_key shared '/CN=LineageOS/'
../../development/tools/make_key media '/CN=LineageOS/'
../../development/tools/make_key networkstack '/CN=LineageOS/'
openssl ecparam -name secp384r1 | openssl pkcs8 -topk8 -scrypt -out avb.pem
../../external/avb/avbtool extract_public_key --key avb.pem --output avb_pkmd.bin
cd ../..
See I use EC keys because its supported on the Titan M and WAY more efficient on ARM but I dont know what phone to phone changes google has made you know? Its why Im hesitant to be exact but I hope this helps
signify -G -n -p keys/crosshatch/factory.pub -s keys/crosshatch/factory.sec
Of course I take the scripts from graphene and encrypt the keys. You can also make your own and automate the process
script/encrypt_keys.sh keys/crosshatch
Then follow the rest of the guide to turn the lineageOS image into a factory image. This is a step devs dont take on lineage because its hard enough to develop as it is
When i took this route I updated once every few months. The build takes a while an a serious amount of RAM. (24 GB in my case).
It will just swap out but that slows it down further.
Genning deltas is important too.
Also you have to commit to Signed root which means no android pay and stuff. Things that worked under magisk wont. You have to accept this trade off.
But yeah my process was similar to this. I hope it sheds light how much you kind of have to do your own foot work to get it working on a device per device basis. Every device has an ARM trusted zone. If you can figure it out for a one plus I think there is a bounty for that on XDA. I dont have the time for one plus. LOL
@SgtAwesomesauce only slightly relevant to you since I mentioned signing builds you make. See convo history. You might be able to figure it out for the OP7 if you deem it worth your time.
Disclaimer. This was my own hack. I dont provide support LOL YMMV
but building on the knowledge is welcome