How is trust in grapheneOS supposed to be established?

NewDewed678

Hello everyone,

I am not a very technicality savvy user, and I was unable to find an answer this question with my cursory searching(not that it does not exist, this may entirely be due to my own incompetence).

From the few other privacy preserving software that I have used in the past as far as I understand it "trust" is established through a sort of chain of custody usually involving a cryptographic signature(PGP). What I have done for those other software to satisfy myself that I can "trust" these programs is to check that the keys have a reasonable history (appropriate documentation of private key storage, proper revocation and rotation of keys) exist in multiple independent locations (keyservs, wayback archive, etc.), have some prominent persons I place some trust in vouch for the project , warrant canaries and so on and so forth. Again I am no power user, and the nitty-gritty of security culture escape me but at least as far as my limited understanding this is usually sufficient to establish a baseline of trust.

For grapheneOS I was unable to do this same process. While I was able to verify the signature using the basic guide using ssh-keygen, I could not to establish much in the way of a history or why I should trust the signature. Along with this nearly all of the sources for verification came from this site itself, and I was not quite able to figure out where else I could possibly search for a second party source. I still find myself inclined to trust this project, given I have heard good things about this project in the privacy community for years, and see no reason to suspect anything untoward, but this is -from what little I understand- not in line with best practice.

Is this intended, or is there something obvious I am missing here. I do apologize if this is something I should know without asking. Again I must reiterate I am not technically inclined so if you are willing to answer please feel free to dumb it down for me. I would appreciate any help greatly.

Thanks in advance,
NewDewed

de0u

NewDewed678 That is an interesting question. In practice most people are using the web installer which relies on SSL certificates.

The Internet Archive appears to have a bunch of snapshots of allowed_signers: https://web.archive.org/web/20250000000000*/https://releases.grapheneos.org/allowed_signers

Watermelon

NewDewed678 You're probably looking for this:
https://play.google.com/store/apps/details?id=app.attestation.auditor.play
Install this on a preexisting, up-to-date Android device you already trust. This app comes preinstalled on GrapheneOS, so you only have to install it on the other device. This app is programmed to recognize the cryptographic signature of Google Pixels' secure elements. This means that counterfeit Google Pixel secure elements would not be reported as Pixels by this app. It's also programmed to recognize the correct official GrapheneOS verified boot keys. Unofficial/fake verified boot keys would not be reported as GrapheneOS's by this app.

Why is it secure?

On the other Android device: Your device came from the factory with Google Play Store preinstalled and is part of verified boot due to this. The Google Play Store app recognizes its servers with a hardcoded certificate rather than any CA issuing a certificate for their servers. It also only recognizes app metadata signed by Google themselves, and uses this app metadata to verify apps you download from Google Play Store before it starts their installation. This means you know you have the Auditor app as was uploaded by the GrapheneOS team to Google Play Store.
On the GrapheneOS device: Google Pixels' secure elements recognize some of the other, important components of a real Google Pixel cryptographically, such as the CPU (the communication between the secure element and the main CPU is encrypted with a hardwired key from the factory), so someone couldn't take out the secure element and implant it in a counterfeit Pixel and expect it to work (but someone could add rogue components like a microphone and an antenna inside the device, so it doesn't protect from the device having been tampered with prior to being shipped to you). Once the initial pairing with Auditor is complete, future checks will only pass if they come from the secure element of your specific device. You can keep using Auditor to obtain security-related information about the GrapheneOS device — the hardware-verified section cannot be faked by an attacker with root-level access to the GrapheneOS device, and both the hardware-verified section and OS-verified section cannot be faked by an attacker controlling or spoofing the display on the GrapheneOS device.

Once you establish trust with your new GrapheneOS device, you can use the Auditor app preinstalled in GrapheneOS to verify new GrapheneOS devices with higher security than the Auditor app from Google Play Store. Apps on Google Play Store can be modified by Google at first install, and (unique to Google Play Store) also at any future update due to Google mandating app developers to upload their signing keys to Google Play. The preinstalled Auditor app, however, is part of the official GrapheneOS releases signed directly by them and covered by verified boot on GrapheneOS.

soul-adrift

Your question is interesting to me because I think one can state that there are technical trust mechanisms and there is social trust; that is, social trust in a project, its leadership and the developers. You have a reply already about the technical trust mechanisms. I offer that social trust is also worth discussion.

Perhaps we could say that social trust is earned and from my perspective the GrapheneOS project, its leadership, and developers have really earned my trust.

How does a new user evaluate this social trust for themselves when arriving at the project? I am fortunate to have followed this project since CopperheadOS but my approach for a new user is to invite them to read the documentation on the website.

The GrapheneOS documentation is special, very special. There is everything you need on the website: the how to do something, the technical descriptions and, very unusually, the very detailed explanations of why something is as it is and what alternatives you might have.

You cannot come away from reading (all) that documentation and not know that the writer cares about the project and the users; and for me this is about social trust.

Writing documentation like that on the GrapheneOS website is what I would call earning (social) trust - and in a big way. I cannot thank those involved enough, ever.

some further thoughts ...

The concept of social trust in the GrapheneOS project was touched on in a recent, otherwise positive, review of GOS by lwn.net. Reading the review, the responses and the misunderstandings made me very sad indeed because I have followed LWN/'the editor' since 1999 and Graphene/CopperheadOS since 2016. Both are very, very special contributors to the free/opensource domain.

I was sad because the lwn article touched on the social trust issues and there were two problems:

Firstly, the writing style. The lwn 'grumpy editor' house style and its wit has been loved and cherished for more than 25 years by the readers. It is reserved for the free/opensource projects that touch on the editor's personal life, like a mobilephone OS ... but, if your first encounter with this style is through a subscriber link to an article about a project you cherish, then you have little hope of grasping the esteemed editor's self-deprecating style.

Secondly, the lwn article brought up some history and had a rather negative discussion on issues of (social) trust ... but failed to mention GrapheneOS documentation and all the positives it implies about the social trust a user can have in the project.

The 'editor' is a busy guy and reading the article, as a GrapheneOS user, I doubt he had had the time to read all the documentation ... and so I suspect he missed the opportunity to realise that the GrapheneOS project really earns and deserves social trust through its excellent documentation.

(These are the further thoughts and remarks I would wish to have added to that lwn article's comments if our community manager were so willing to oblige).

soul-adrift

A bit of a cross post this, sorry. Someone can remove it if they wish, but I thought it belonged here.

soul-adrift Reading the review, the responses and the misunderstandings made me very sad indeed because I have followed LWN/'the editor' since 1999 and Graphene/CopperheadOS since 2016. Both are very, very special contributors to the free/opensource domain.

I was sad because the lwn article touched on the social trust issues and there were two problems:

Firstly, the writing style. The lwn 'grumpy editor' house style and its wit has been loved and cherished for more than 25 years by the readers. It is reserved for the free/opensource projects that touch on the editor's personal life, like a mobilephone OS ... but, if your first encounter with this style is through a subscriber link to an article about a project you cherish, then you have little hope of grasping the esteemed editor's self-deprecating style.

Secondly, the lwn article brought up some history and had a rather negative discussion on issues of (social) trust ... but failed to mention GrapheneOS documentation and all the positives it implies about the social trust a user can have in the project.

The 'editor' is a busy guy and reading the article, as a GrapheneOS user, I doubt he had had the time to read all the documentation ... and so I suspect he missed the opportunity to realise that the GrapheneOS project really earns and deserves social trust through its excellent documentation.

(These are the further thoughts and remarks I would wish to have added to that lwn article's comments if our community manager were so willing to oblige).

NewDewed678

I did not realize how active this forum was, thank you for the prompt answers and please forgive me for the discourtesy of taking so long to reply.

@de0u

The Internet Archive appears to have a bunch of snapshots of allowed_signers

This is precisely what I hoping to find earlier. It seems I am growing worse at surfing the information superhighway. Thanks for this.

@Watermelon

app recognizes its servers with a hardcoded certificate rather than any CA issuing a certificate for their servers. It also only recognizes app metadata signed by Google themselves, an
the communication between the secure element and the main CPU is encrypted with a hardwired key from the factory
Ah I see. I had not understood that the internals of the attestation app relied on untouched hardware signatures. I incorrectly thought that it was a sort of "secure boot" situation where the signatures were self signed and implemented and relied on one's trust in the project itself to provide ongoing protection. My error.

@soul-adrift

Trust is indeed a tricky problem in cyberspace. Hopefully I do not wade into a controversy if I say that I like to think that since the privacy and libre software community is ornery enough to kick up a fuss over not following best practices, there would be hell raised if there were anything untoward occuring in a well known project such as this.

Anyways. All your help is greatly appreciated. I've just installed grapheneOS on my phone with confidence. Thanks again for taking the time to reply!

Cheers,
-Newdewed

Watermelon

NewDewed678 Ah I see. I had not understood that the internals of the attestation app relied on untouched hardware signatures. I incorrectly thought that it was a sort of "secure boot" situation where the signatures were self signed and implemented and relied on one's trust in the project itself to provide ongoing protection. My error.

Technically it does both: it verifies that the response comes from a (or your) Pixel, and then checks the response to see which custom verified boot key is installed, and whether the bootloader is locked. GrapheneOS is self-signed, but the Auditor app can be installed securely from Google Play Store, so you can securely verify that you installed the correct key. And when it switches to check for your Pixel's signature, that's another form of self-signing because it uses a signing key that it created specifically for you to do the attestation with, and signs the response with that. So there's self-signing, but there's the critical pieces to bootstrap the trust in the correct signatures, based on Pixel's hardware signature and Google Play's signature.