Cryptographic ID

Attest the trustworthiness of a device using asymmetric cryptography

New in version 0.5.1

- update flutter
- update gradle to 8.7
- fix new flutter analyze problems
- update mobile scanner

Use cases:

- Attest the state of a Linux computer

When your computer is in a trustworthy state, you can generate a private key hidden in the TPM2 of your computer. This private key can be sealed with the current state of the computer (PCRs). Then the computer can only sign a message with this key when it is in the correct state according to the PCRs. For example, you can seal the key against the secure boot state (PCR7). If your computer is booting an operating system signed by another vendor, the TPM2 cannot unseal the private key. So if your computer can generate a correct signature, it is in this known state. You can create a sealed private key and create such a signature with cryptographic-id-rs (https://gitlab.com/cryptographic_id/cryptographic-id-rs). This is similar to tpm2-totp (https://github.com/tpm2-software/tpm2-totp) but uses asymmetric cryptography. This means you do not need to keep the verification code secure. You can share it safely with the world.

- Verify the identity of a phone

You can generate a private key when your phone is in a trustworthy state. If your phone can create a correct signature, you know it is the same phone. Since the operating system can access the private key, the security guarantees are much weaker than with a TPM2. So the verification is just as secure as your phone. If you use Graphene OS, also have a look at Auditor (https://attestation.app/tutorial).

- Verify that a person is in possession of a private key

This works as well as the section above but has the same shortcomings. It can be used to verify someone in person when he sends his public key to you in advance over a secure channel.

Versions

Although APK downloads are available below to give you the choice, you should be aware that by installing that way you will not receive update notifications and it's a less secure way to download. We recommend that you install the F-Droid client and use that.

Download F-Droid

Version 0.5.1 (17) suggested Added on May 17, 2024

arm64-v8a armeabi-v7a x86_64

This version requires Android 5.0 or newer.

It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.
Permissions
- take pictures and videos
  
  This app can take pictures and record videos using the camera while the app is in use.
Download APK 22 MiB PGP Signature | Build Log
Version 0.5.0 (16) - Added on Dec 25, 2023

arm64-v8a armeabi-v7a x86_64

This version requires Android 5.0 or newer.

It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.
Permissions
- take pictures and videos
  
  This app can take pictures and record videos using the camera while the app is in use.
Download APK 22 MiB PGP Signature | Build Log
Version 0.4.5 (15) - Added on Nov 26, 2023

arm64-v8a armeabi-v7a x86_64

This version requires Android 5.0 or newer.

It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.
Permissions
- take pictures and videos
  
  This app can take pictures and record videos using the camera while the app is in use.
Download APK 22 MiB PGP Signature | Build Log