From 4eb320eca953f14a266c2cd67e6175190a077353 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 22 Dec 2023 10:10:13 -0500 Subject: [PATCH] add link to key attestation library --- .../attestation-compatibility-guide.html | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/static/articles/attestation-compatibility-guide.html b/static/articles/attestation-compatibility-guide.html index db62d330..fe5f89fa 100644 --- a/static/articles/attestation-compatibility-guide.html +++ b/static/articles/attestation-compatibility-guide.html @@ -57,14 +57,15 @@ with hardware attestation and fall back to the Play Integrity API or do both and accept either passing as success.

-

Our MIT / Apache 2 licensed Auditor - app can be used a reference implementation for verifying hardware-based - attestations. There are some subtleties in the verification process such as making - sure only the 2nd certificate in the chain (the one signing the certificate for the - key generated by your app) has an attestation extension to prevent making a fake - attestation by extending the chain. You can reuse our code and simply omit support for - an app generated attestation signing key (attest key) and the other pinning - support.

+

Google provides a key + attestation library with examples. Our MIT + / Apache 2 licensed Auditor app can be used a reference implementation for + verifying hardware-based attestations. There are some subtleties in the verification + process such as making sure only the 2nd certificate in the chain (the one signing the + certificate for the key generated by your app) has an attestation extension to prevent + making a fake attestation by extending the chain. You can reuse our code and simply + omit support for an app generated attestation signing key (attest key) and the other + pinning support.

After verifying the signature of the attestation certificate chain and extracting the attestation metadata, you can enforce that verifiedBootState is