Auditor as example to use for hardware attestation

2023-02-16 09:36:56 -05:00 · 2023-02-16 09:36:56 -05:00 · 9499523268
commit 9499523268
parent 7ad211f93b
1 changed files with 9 additions and 0 deletions
--- a/static/articles/attestation-compatibility-guide.html
+++ b/static/articles/attestation-compatibility-guide.html
@ -74,6 +74,15 @@
            with hardware attestation and fall back to the Play Integrity API or do both and
            accept either passing as success.</p>

+            <p>Our <a href="https://github.com/GrapheneOS/Auditor">MIT / Apache 2 licensed Auditor
+            app</a> can be used a reference implementation for verifying hardware-based
+            attestations. There are some subtleties in the verification process such as making
+            sure only the 2nd certificate in the chain (the one signing the certificate for the
+            key generated by your app) has an attestation extension to prevent making a fake
+            attestation by extending the chain. You can reuse our code and simply omit support for
+            an app generated attestation signing key (attest key) and the other pinning
+            support.</p>
+
            <p>After verifying the signature of the attestation certificate chain and extracting
            the attestation metadata, you can enforce that <code>verifiedBootState</code> is
            either <code>Verified</code> or <code>SelfSigned</code>. For the