We've run into a few users on Pixel 3 phones where using key attestation with StrongBox creates a certificate with an invalid signature. This only happens with StrongBox. TEE keystore certificate chains still pass verification for these users. Is this a known issue?
Conversation
I could submit a bug on the issue tracker with the attached certificate chains, but I don't have a device where I can replicate this myself. We've in contact with 2 different users with this issue though. It's the first hop (signature from batch key) that fails.
1
We're unsure if it fails due to a bug in signing or if it corrupts the main public key certificate. This happens with both the stock OS and with GrapheneOS. At least one of the users installed Android 11 developer preview and then downgraded. Maybe that broke it?
Replying to
That shouldn't cause a problem. Can you open a bug and include an example certificate chain that demonstrates the problem?