From 94995232685b33e5906e12420ea7630eabbf2ee6 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Thu, 16 Feb 2023 09:36:56 -0500
Subject: [PATCH] Auditor as example to use for hardware attestation

---
 static/articles/attestation-compatibility-guide.html | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/static/articles/attestation-compatibility-guide.html b/static/articles/attestation-compatibility-guide.html
index 3284ae0f..05150de8 100644
--- a/static/articles/attestation-compatibility-guide.html
+++ b/static/articles/attestation-compatibility-guide.html
@@ -74,6 +74,15 @@
             with hardware attestation and fall back to the Play Integrity API or do both and
             accept either passing as success.</p>
 
+            <p>Our <a href="https://github.com/GrapheneOS/Auditor">MIT / Apache 2 licensed Auditor
+            app</a> can be used a reference implementation for verifying hardware-based
+            attestations. There are some subtleties in the verification process such as making
+            sure only the 2nd certificate in the chain (the one signing the certificate for the
+            key generated by your app) has an attestation extension to prevent making a fake
+            attestation by extending the chain. You can reuse our code and simply omit support for
+            an app generated attestation signing key (attest key) and the other pinning
+            support.</p>
+
             <p>After verifying the signature of the attestation certificate chain and extracting
             the attestation metadata, you can enforce that <code>verifiedBootState</code> is
             either <code>Verified</code> or <code>SelfSigned</code>. For the