Verifying OS Image is equivalent to open source (GitHub)

testing123

Hello,
I was reading this post about the verified boot hash vs verified boot hash key and was wondering if there is a way to verify that the Grapheneos factory image we download is equivalent to the source code on GitHub without trusting graphene (presumably using the verified boot hash?).

I'm aware this hash will change every time an update goes live, but it seems useful to know that the OS I've downloaded matches the open source on GitHub before using Graphene. Perhaps there is a more obvious answer to all of this, apologies if this is a dumb question I'm a noob here.

treequell

testing123 By performing verification of the OS with the Auditor app, it's one of the post-installation steps in the install guide, and doing so after installation is essentially what the app was designed for.

casualmilkenjoyer

testing123
You could always build it yourself and diff the result with the official release. There would be some small differences due to signing and possibly from discrepancies in the tooling (I assume the builds are reproducible to allow the auditor app to work. Or is the auditor just checking signature integrity? I need to educate myself on this). Either way, it would be possible to narrow down any differences to non-nefarious reasons.

GrapheneOS

testing123 Our builds are reproducible if you want to build and compare. You need to do a file-based comparison and ignore signatures and public keys since what we publish are signed release builds. Android has tools to help with this.

testing123 At a file level, there aren't differences beyond the release key signature and metadata (public keys, etc.). You don't have our signing keys so you of course can't reproduce the signatures. The signatures and public keys are changed from the AOSP test keys to your release keys when you sign a release with the Android signing tools.

testing123

treequell Ah yes, but using the Auditor app still places trust in Graphene to tell us that the OS hash is correct, right? And after reading the install guide, my understanding was that the verified boot public key is used to verify the OS is genuine and supplied by Graphene, not necessarily that it is equivalent to what is in GitHub.

I guess my question is how can we determine the hash of what we download from Graphene OS servers is equivalent to X GitHub release. I'm assuming the process would be to download OS from Graphene servers, generate the hash, then download source code from GitHub, build code, then generate the hash and compare to ensure these are the same.

[deleted]

https://grapheneos.org/install/web#verifying-installation

testing123

casualmilkenjoyer Yeah this pretty much answers what I was trying to ask, thanks. Would be cool too to hear any more opinions/knowledge on those "differences" or if there's an easier way to verify this.

GrapheneOS

casualmilkenjoyer Auditor is using hardware-based attestation which includes both the OS verified boot key hash and verified boot hash among other things like the OS patch level. It's not checking or obtaining these things itself. Everything it obtains itself is in a separate lower security section labelled "Information provided by the verified OS".

matchboxbananasynergy

testing123 I guess my question is how can we determine the hash of what we download from Graphene OS servers is equivalent to X GitHub release. I'm assuming the process would be to download OS from Graphene servers, generate the hash, then download source code from GitHub, build code, then generate the hash and compare to ensure these are the same.

Essentially. Efforts are currently being put into making this easier folks:

https://github.com/flawedworld/grapheneos-reproducibility

Keep in mind that at this point, this is unofficial, but that's essentially what you want once it's ready.