| Name | Date | Size | #Lines | LOC | ||
|---|---|---|---|---|---|---|
| .. | - | - | ||||
| cmd/verifier/ | 04-Jul-2025 | - | 148 | 102 | ||
| internal/ | 04-Jul-2025 | - | 648 | 501 | ||
| README.md | D | 04-Jul-2025 | 3.3 KiB | 57 | 45 | |
| go.mod | D | 04-Jul-2025 | 242 | 11 | 7 | |
| go.sum | D | 04-Jul-2025 | 1.8 KiB | 19 | 18 |
README.md
1# Verifier of Binary Transparency for Pixel Factory Images 2 3This repository contains code to read the transparency log for two logs: 4 * [Pixel Factory Images Binary Transparency](https://developers.google.com/android/binary_transparency/pixel_overview). 5 * [Google System APK Transparency](https://developers.google.com/android/binary_transparency/google1p/overview) 6 7See the particular section for this tool: 8 * [Pixel](https://developers.google.com/android/binary_transparency/pixel_verification#verifying-image-inclusion-inclusion-proof) 9 * [Google System APKs](https://developers.google.com/android/binary_transparency/google1p/verification_details#verifying_package_inclusion_inclusion_proof) 10 11## Files and Directories 12* `cmd/verifier/` 13 * Contains the binary to read any of the transparency logs. It is embedded with the public keys of the logs to verify log identity. 14* `internal/` 15 * Internal libraries for the verifier binary. 16 17## Build 18This module requires Go 1.17. Install [here](https://go.dev/doc/install), and run `go build cmd/verifier/verifier.go`. 19 20An executable named `verifier` should be produced upon successful build. 21 22## Usage 23The verifier uses the associated checkpoint (depending on the target log) and the log contents to check that your candidate binary is included in the transparency log, i.e. that it is published by Google. The tile directory for each supported log is listed below: 24 * Pixel Transparency Log 25 * `https://developers.google.com/android/binary_transparency/tile/` 26 * Google System APK Transparency Log 27 * `https://developers.google.com/android/binary_transparency/google1p/tile/` 28 29To run the verifier after you have built it in the previous section: 30``` 31$ ./verifier --payload_path=${PAYLOAD_PATH} --log_type=<log_type> 32``` 33where `log_type` is either `pixel` or `google_system_apk`. 34 35### Input 36The verifier takes a `payload_path` and a `log_type `as input. 37 38#### Pixel 39Each Pixel Factory image corresponds to a [payload](https://developers.google.com/android/binary_transparency/pixel_overview#log_content) stored in the transparency log, the format of which is: 40``` 41<build_fingerprint>\n<vbmeta_digest>\n 42``` 43See [here](https://developers.google.com/android/binary_transparency/pixel_verification#construct-the-payload-for-verification) for a few methods detailing how to extract this payload from an image. 44 45#### Google System APK 46Each Google System APK corresponds to a [payload](https://developers.google.com/android/binary_transparency/google1p/overview#log_content) stored in the transparency log, the format of which is: 47``` 48<hash>\n<hash_description>\n<package_name>\n<package_version_code>\n 49``` 50 51Currently, `hash_description` is fixed as `SHA256(Signed Code Transparency JWT)`. 52See [here](https://developers.google.com/android/binary_transparency/google1p/verification_details#construct_a_payload_for_verification) to find out how to construct this payload from a candidate APK. 53 54### Output 55The output of the command is written to stdout: 56 * `OK. inclusion check success!` if the candidate binary is included in the log. Depending on which log, this means either the [Pixel claim](https://developers.google.com/android/binary_transparency/pixel_overview#claimant_model) or the [Google System APK claim](https://developers.google.com/android/binary_transparency/google1p/overview#claimant_model) is true, 57 * `FAILURE` otherwise.