Investigate: QA process for bundles resulting from our app? about signal-x-proofmode HOT 17 CLOSED

Our Proof Check online tool is nearly ready for public beta: https://proofcheck.gpfs.link/ and you can just direct people to use it. There is also a simple bash script version: https://gitlab.com/guardianproject/proofmode/proofmode-android/-/blob/master/docs/verify.sh

We may need to do some debugging to make sure the version of the proof bundle Signal-ProofMode is generating matches what we expect (since there isn't any opentimestamps, google safetynet notarization etc)

If you are talking about doing it "in app", then some form of the 3LV - Integrity, Consistency, Synchrony - should be used.

1. Verify the PGP signatures. We can build an easy method for that into libProofMode
2. Verify that the output of the MobileCoin notarization can be matched with an on-chain record
3. Display to the user a summary of the where/when details in the proof so they can see if the visuals match their expectation "This was captured in the Signal camera on January 2, 2023 at 2:22pm in London, UK"

This is a good start!

from signal-x-proofmode.

Our Proof Check online tool is nearly ready for public beta: https://proofcheck.gpfs.link/ and you can just direct people to use it.

Sadly, both Max and I get an "unknown error" upon trying to upload a ZIP. Unless there's been a release in the last couple of days, we're stuck :)

Just taking the 3LV method the other way round:

• Display to the user a summary of the where/when details in the proof so they can see if the visuals match their expectation "This was captured in the Signal camera on January 2, 2023 at 2:22pm in London, UK"

I invite you to check out "Verifying Proofs" on Mural or Issue #34 for an update on the custom reception UI we're building for this. Very excited about it!

• Verify that the output of the MobileCoin notarization can be matched with an on-chain record

This got paused for now, so we won't be able to carry out this check in an MVP version.

• Verify the PGP signatures. We can build an easy method for that into libProofMode.

That sounds like something we really want to do. When do you think this can be done, and what would the ProofMode API call look like?
@maxSafronovForte, take note of this for your information :)

from signal-x-proofmode.

Our Proof Check online tool is nearly ready for public beta: https://proofcheck.gpfs.link/ and you can just direct people to use it.
Sadly, both Max and I get an "unknown error" upon trying to upload a ZIP. Unless there's been a release in the last couple of days, we're stuck :)

I think the tool is expecting out standard Proof bundle format, and needs to be more flexible in working with what is there. Otherwise, I think the main issue is like the public key not being integrated into the proof zip.

• Verify the PGP signatures. We can build an easy method for that into libProofMode.
  That sounds like something we really want to do. When do you think this can be done, and what would the ProofMode API call look like? @maxSafronovForte, take note of this for your information :)

Working on it today. We have the code already elsewhere, just need to expose the call in the API.

from signal-x-proofmode.

android-libproofmode library has been updated to 1.0.23 and includes a new helper method verifyProofZip which you can see use of in our test class here: https://gitlab.com/guardianproject/proofmode/proofmode-android/-/blob/master/android-libproofmode/src/androidTest/java/ProofmodeGenerationTests.java#L109

We’ll work on a better sample and documentation tomorrow, but in short, you provide it the hash of the media file, and inputstream to the media file bytes and an inputstream to the zip file bytes.
1:03
Inside, it will use the hash to match signatures in the proof zip, and verify all the signatures.
1:03
this is the “Integrity” check of our 3LV process, so just one piece, and ultimately we may rename this method integrityCheck but for now it is fine to use!
1:04
In order to get the hash from the media file byes, you can see this line in the test class: https://gitlab.com/guardianproject/proofmode/proofmode-android/-/blob/master/android-libproofmode/src/androidTest/java/ProofmodeGenerationTests.java#L99

from signal-x-proofmode.

We are also updating our web-based proofcheck tool to be more tolerant of bundles that do not contain OpenTimestamps or Google Safetynet notarization files.

from signal-x-proofmode.

It appears adding the pubkey now permits the use of the automated tool.

New error in the JS console: KeyError: 'Device ID' :( cc @n8fr8

from signal-x-proofmode.

Now that we can generate our own signal-x-proofmode bundles, should be easier to debug!

from signal-x-proofmode.

@n8fr8 Did you have a think about this issue, perchance? It would be nice to be able to QA our bundles...

from signal-x-proofmode.

Working on it this week. Already put the request in to the team to test against these bundles to ensure compatibility, while flagging gracefully what might be "missing".

from signal-x-proofmode.

I believe today's commits have made the issue mentioned above go away.

@maxSafronovForte Here's what we now have:

• Media signed
• Proof data present and signed
• OpenTimestamp verified
• SafetyNet verified
• C2PA verified

And the detailed message:

"root":{1 item
"summary":{1 item
"error":string"No media files found"
}
}

from signal-x-proofmode.

Maybe we should add the photo in the bundle as well.

from signal-x-proofmode.

In which format we need to put photo in bundle ?

from signal-x-proofmode.

Ah right, the photo! That's the problem. I thought that was already happening.

The photo should be the saw raw bytes that you used to generate the proof hash. Do not re-encode.

from signal-x-proofmode.

Maybe fixed by #64

from signal-x-proofmode.

🎉

from signal-x-proofmode.

Woohoo! We'll have to add-in "MobileCoin notarization" verified soon as well...

from signal-x-proofmode.

Thanks for all the work Nathan – glad we did this, was really helpful today.

from signal-x-proofmode.