Yesterday I made an Auditor test to check the integrity of two devices, namely one Pixel 3a XL and the other a Pixel 5, both fully updated.

The first pairing was successful (green) on both parties, i.e. the Pixel 5 acting as the Auditor and Auditee and the same goes for the Pixel 3a XL. The second test with the Pixel 5 being an auditee and the Pixel 3a XL working as the auditor also went fine. However the second test with the Pixel 3a XL acting as an auditee (device being verified) resulted in the following error:
Image Link to Auditor Result

Can anybody tell me what could have gone wrong or what the result actually means?

    That's very strange. Looks to me like an expired certificate that was only valid for 10 minutes on October 3rd. I'm curious what others will say about the cause of that... Maybe the app generates a very short-lived certificate for verification/pairing and the one it's trying to use now is the old one from the first test? I'd quit the app or restart the phone and try again. Maybe that'll fix the local verification. But TBH I don't know how the app works internally, so maybe I'm way off here.

    If the phone passed once and you haven't done anything sketchy with the OS it should still be fine.

    Anyway, you can just do remote verification following the instructions at this link: https://attestation.app/tutorial#scheduled-remote-verification. I wouldn't worry if the phone(s) pass the verification using the remote one.

      unwat thanks for your reply. I wasn't worried since my Pixel 3a XL isn't my main driver anymore, but still I think it was worth sharing.

      As MetropleX pointed out it could be because I was running an old release and therefore an old version of the Auditor app for the Pixel 3a XL. I'll try it out again now and will post the update here.

      I already did the remote verification for the Pixel 5 and everything was fine.

        MetropleX Thanks for your hint, but I was definitely running a release which was newer than the beginning of June. Auditor 47 was released on May 21st and shortly after there was the 2022052500 release. I think (before updating the Pixel 3a XL shortly after making the tests) I was running the release from the beginning/mid of July.

        I'll try it out again and will post the update here.

        I am still receiving errors.

        The first test with the Pixel 5 acting as auditee and Pixel 3a XL as auditor ran successfully.

        However the following tests resulted in the following things:

        After these tests the same errors occur again being:

        • When performing the test as an auditor on Pixel 5 I receive the certificate error (see first picture)
        • When performing the test as auditee on Pixel 5 I receive the "Pairing data for this Auditee is missing" (see second picture)

        Pixel 3a XL Android infos
        Pixel 5 Android infos

        I'll try to clear it and perform it once again and also will perform a remote attestation.

        achim
        No problem! MetropleX's suggestion was much better than mine haha. I was more replying because I was curious and wanted to see the solution.

        The most recent stable Auditor version is 59. My guess is your Pixel 5 is up to date and the 3a isn't? I checked, and since version 47 the lead dev added more key checks. I don't understand all of this certificate stuff at his level, but considering the changes he made it would make sense that version 47 isn't compatible with an up to date version. Can you update Auditor on your 3a?

        But I was right about the 10 minute thing from the initial post! In the code, it looks like the certificate used for pairing is set to have a 10 minute validity in case the clock is off.

        achim The "Pairing data for this Auditee is missing" error is caused by you making a mistake. You started doing an initial pairing and didn't finish so the Auditee thinks that it's paired and the Auditor doesn't have a record of it. You aren't showing the full error message for the initial error which makes it a lot more difficult to help. The date it has is October 3rd, so it's possible your clock is set incorrectly on the Pixel 3a which would result in errors.

          strcat I'll try it again using the two devices, however I showed the exact error messages above. (see https://discuss.grapheneos.org/d/1191-auditor-failed-integrity-check/6)

          The initial error is shown in the "Error Pixel 3a XL auditee" image.

          I cleared the auditee and auditor pairings and the local test results were reproducible. I also waited for the first test and I noticed the auditee QR code reading from the Pixel 3a XL takes a long time but I always let it finish.

          The date on the Pixel 3a XL is correct since I made the initial test on October 3rd, the other tests were made on October 7th.

          The remote attestations were successful for both devices. For the 3a XL and the 5 the first result was "Successfully performed basic initial verification and pairing." and the subsequent ones were "Successfully performed strong paired verification and identity confirmation.".

          strcat You were of course right about the part "the Auditor doesn't have a record of it". When I performed the tests again I noticed a deviation of 6 minutes, although both devices are in the same exact time zone. I guess since there's no more SIM card in the Pixel 3a XL there was no mobile network to connect to and therefore the time wasn't set properly.

          So thank you again for the tip to look at the date/clock. The local tests now function correctly and I learned that both devices need to have the exact same time.