1*d289c2baSAndroid Build Coastguard Worker# Verifier of Binary Transparency for Pixel Factory Images 2*d289c2baSAndroid Build Coastguard Worker 3*d289c2baSAndroid Build Coastguard WorkerThis repository contains code to read the transparency log for [Pixel Factory Images Binary Transparency](https://developers.google.com/android/binary_transparency/pixel_overview). See the particular section for this tool [here](https://developers.google.com/android/binary_transparency/pixel_verification#verifying-image-inclusion-inclusion-proof). 4*d289c2baSAndroid Build Coastguard Worker 5*d289c2baSAndroid Build Coastguard Worker## Files and Directories 6*d289c2baSAndroid Build Coastguard Worker* `cmd/verifier/` 7*d289c2baSAndroid Build Coastguard Worker * Contains the binary to read the transparency log. It is embedded with the public key of the log to verify log identity. 8*d289c2baSAndroid Build Coastguard Worker* `internal/` 9*d289c2baSAndroid Build Coastguard Worker * Internal libraries for the verifier binary. 10*d289c2baSAndroid Build Coastguard Worker 11*d289c2baSAndroid Build Coastguard Worker## Build 12*d289c2baSAndroid Build Coastguard WorkerThis module requires Go 1.17. Install [here](https://go.dev/doc/install), and run `go build cmd/verifier/verifier.go`. 13*d289c2baSAndroid Build Coastguard Worker 14*d289c2baSAndroid Build Coastguard WorkerAn executable named `verifier` should be produced upon successful build. 15*d289c2baSAndroid Build Coastguard Worker 16*d289c2baSAndroid Build Coastguard Worker## Usage 17*d289c2baSAndroid Build Coastguard WorkerThe verifier uses the checkpoint and the log contents (found at the [tile directory](https://developers.google.com/android/binary_transparency/tile)) to check that your image payload is in the transparency log, i.e. that it is published by Google. 18*d289c2baSAndroid Build Coastguard Worker 19*d289c2baSAndroid Build Coastguard WorkerTo run the verifier after you have built it in the previous section: 20*d289c2baSAndroid Build Coastguard Worker``` 21*d289c2baSAndroid Build Coastguard Worker$ ./verifier --payload_path=${PAYLOAD_PATH} 22*d289c2baSAndroid Build Coastguard Worker``` 23*d289c2baSAndroid Build Coastguard Worker 24*d289c2baSAndroid Build Coastguard Worker### Input 25*d289c2baSAndroid Build Coastguard WorkerThe verifier takes a `payload_path` as input. 26*d289c2baSAndroid Build Coastguard Worker 27*d289c2baSAndroid Build Coastguard WorkerEach Pixel Factory image corresponds to a [payload](https://developers.google.com/android/binary_transparency/pixel_overview#log_content) stored in the transparency log, the format of which is: 28*d289c2baSAndroid Build Coastguard Worker``` 29*d289c2baSAndroid Build Coastguard Worker<build_fingerprint>\n<vbmeta_digest>\n 30*d289c2baSAndroid Build Coastguard Worker``` 31*d289c2baSAndroid Build Coastguard WorkerSee [here](https://developers.google.com/android/binary_transparency/pixel_verification#construct-the-payload-for-verification) for a few methods detailing how to extract this payload from an image. 32*d289c2baSAndroid Build Coastguard Worker 33*d289c2baSAndroid Build Coastguard Worker### Output 34*d289c2baSAndroid Build Coastguard WorkerThe output of the command is written to stdout: 35*d289c2baSAndroid Build Coastguard Worker * `OK` if the image is included in the log, i.e. that this [claim](https://developers.google.com/android/binary_transparency/pixel_overview#claimant_model) is true, 36*d289c2baSAndroid Build Coastguard Worker * `FAILURE` otherwise. 37*d289c2baSAndroid Build Coastguard Worker 38