Very interesting, thanks. Is this script part of the source distribution ?
Conversation
Replying to
The server code putting them in the database is here:
github.com/GrapheneOS/Att
Extract script takes them out of the database and arranges them in the format at github.com/GrapheneOS/Att with the certificate chains in separate files. The filter_props.sh script in there is used too.
1
I could automate it way more than I currently do. At the moment, I just copy the certificate chains into a special local branch of Auditor and run that to output the relevant data and then test that it works properly. Need to do it for both the TEE and StrongBox certificates.
1
I think that GM1913 sample was the most recent valid sample submitted. There was also a Mi MIX 2S submission claiming to have a green boot state but the attestation information says that the bootloader isn't locked, so it's either broken or has some kind of rootkit on it.
1
Both devices with valid samples supported since version 11 are now supported by the new stable release:
Quote Tweet
Auditor app version 12 released:
github.com/GrapheneOS/Aud
This release adds support for the OnePlus 6 A6003 and OnePlus 7 Pro GM1913.
See attestation.app/about and attestation.app/tutorial for info about the app and optional monitoring service.
1
Verifying a OnePlus 7 Pro, verification fails. I submitted a new sample.
1
1
There was an OS update between the first and second samples, so I hope they don't change the key at every update…
1
Replying to
The verified boot key never changes and the fingerprint is a hash of it so it doesn't change unless there's an update to the algorithm used to calculate it which shouldn't really be done once a device is shipped. Make sure you have Auditor version 12 on both Auditee and Auditor.
2
4B9201B11685BE6710E2B2BA8482F444E237E0C8A3D1F7F447FE29C37CECC559 is the correct key for the OnePlus 7 Pro entry in the Auditor database based on your earlier sample. Maybe you're just using an earlier version on the device where you're seeing the error?
1
Since the initial pairing attempt failed, you'll also need to either clear Auditor pairings on the Auditor side or Auditee pairings on the Auditee side in addition to resolving the issue. I'd like to add a button for undoing the attempted pairing on the Auditee in the future.