Hi,

so I recently flashed GrapheneOS to a Pixel 5.

After completed the setup via the CLI via Windows I tried to conduct a verification through Auditor.

The first three results were that the public key could not be verified and the text was red.
Unfortunately I didn't make a screenshot since I thought it was an error on my side.

After connecting it to a network via TOR the verification with another device as well as the remote attestation was successful.
I tried it again multiple times and I always received positive results and the message "Successfully performed strong paired verification and identity confirmation".

I then read that in the instructions more carefully: "However, it's possible that the computer you used to flash the OS was compromised, leading to flashing a malicious verified boot public key and images. ... Ideally, you should also do this before connecting the device to the network, so an attacker can't proxy to another device (which stops being possible after the initial verification)"

I don't think that I'm a targeted person but I want to make sure that it's now safe to use this device. I also don't believe that my private PC is compromised.

Did someone have this kind of problem yet? Can maybe some from the team chime in? What should my next steps look like? Is it sensible to reflash or factory reset the device? I don't have any personal things on the device stored yet.

    attestationq So I factory reset the device and I wasn't able to reproduce the problem at hand. I cleared the auditee and auditor pairings for the device performing the verification (= Auditor) and started the pairing offline, one time as Auditee and vice versa. I conducted this three times and got "Successfully performed strong paired verification and identity confirmation".

    But to my technical understanding the creating and storing of the verified boot public key happens when flashing.