verify

module
v0.0.0-...-7611786 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2025 License: Apache-2.0, BSD-3-Clause, MIT

README

Verifier of Binary Transparency for Pixel Factory Images

This repository contains code to read the transparency log for two logs:

See the particular section for this tool:

Files and Directories

  • cmd/verifier/
    • Contains the binary to read any of the transparency logs. It is embedded with the public keys of the logs to verify log identity.
  • internal/
    • Internal libraries for the verifier binary.

Build

This module requires Go 1.17. Install here, and run go build cmd/verifier/verifier.go.

An executable named verifier should be produced upon successful build.

Usage

The verifier uses the associated checkpoint (depending on the target log) and the log contents to check that your candidate binary is included in the transparency log, i.e. that it is published by Google. The tile directory for each supported log is listed below:

  • Pixel Transparency Log
    • https://developers.google.com/android/binary_transparency/tile/
  • Google System APK Transparency Log
    • https://developers.google.com/android/binary_transparency/google1p/tile/

To run the verifier after you have built it in the previous section:

$ ./verifier --payload_path=${PAYLOAD_PATH} --log_type=<log_type>

where log_type is either pixel or google_system_apk.

Input

The verifier takes a payload_path and a log_type as input.

Pixel

Each Pixel Factory image corresponds to a payload stored in the transparency log, the format of which is:

<build_fingerprint>\n<vbmeta_digest>\n

See here for a few methods detailing how to extract this payload from an image.

Google System APK

Each Google System APK corresponds to a payload stored in the transparency log, the format of which is:

<hash>\n<hash_description>\n<package_name>\n<package_version_code>\n

Currently, hash_description is fixed as SHA256(Signed Code Transparency JWT). See here to find out how to construct this payload from a candidate APK.

Output

The output of the command is written to stdout:

  • OK. inclusion check success! if the candidate binary is included in the log. Depending on which log, this means either the Pixel claim or the Google System APK claim is true,
  • FAILURE otherwise.

Directories

Path Synopsis
cmd
verifier command
Binary `verifier` checks the inclusion of a particular Pixel Factory Image, identified by its build_fingerprint and vbmeta_digest (the payload), in the Transparency Log.
 Binary `verifier` checks the inclusion of a particular Pixel Factory Image, identified by its build_fingerprint and vbmeta_digest (the payload), in the Transparency Log.
internal
checkpoint
Package checkpoint implements methods to interact with checkpoints as described below.
 Package checkpoint implements methods to interact with checkpoints as described below.
tiles
Package tiles contains methods to work with tlog based verifiable logs.
 Package tiles contains methods to work with tlog based verifiable logs.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.