We've added a JSON API making it easier for services to permit GrapheneOS in addition to Google-certified operating systems:

grapheneos.org/attestation.js…
grapheneos.org/attestation.js…

The verifiedBootKeys array lists GrapheneOS key fingerprints to permit via Android hardware attestation.

It can be extended with a list of key attestation root certificates once we have devices using an alternative to Google's Android key attestation ecosystem. Each of will have their own certificate revocation list for apps to check if they care. There's no need for anything more.

Apps which are forced by regulations or liability reasons to implement integrity checks should use the standard Android hardware attestation API. The Play Integrity API is insecure and anti-competitive. The Play Integrity API creates massive legal liability for the apps using it.

/e/ and Murena have been been promoting their products by misleading people about GrapheneOS for years. This has turned into an all out war on GrapheneOS by their company and supporters. We began regularly debunking their inaccurate claims and they try to frame it as aggression.

They've created widespread misconceptions about the GrapheneOS project with inaccurate claims about the purpose of the project and what it provides to users. Many people incorrectly believe they aren't our target audience or that it wouldn't be a good fit for them due to this.

GrapheneOS is a privacy project which is intended to be usable by everyone. Usability and app compatibility are top priorities. Our userbase largely isn't highly technical. It's very easy to install and use. Devices can be purchased around the world with GrapheneOS preinstalled.

Gaël Duval is the founder and president of the /e/ foundation along with the CEO of Murena. Duval and his organizations have consistently taken a stance against protecting users from exploits. In this video, he once again claims protecting against exploits is for only useful pedophiles and spies.

Translation to English:

> There's the attack surface, on that front we're not security specialists here, so I couldn't answer you precisely, but from the discussions I've had, it seems that everything we do reduces attack surface. However, we don't have a "hardened security" approach, we aren't developing a phone for pedo(censored) so they can evade justice. So there aren't difficult things to check if the memory is corrupted, really hardened security stuff that could clearly be useful for executives, in the secret service, or whatever. That's not our goal, our goal is to start from an observation: today our personal data is constantly being plundered and that wouldn't be legal in real life with the mail or the telephone, we want to change that. So we are making you a product that changes that by default for anyone.

Transcription in French:

> Il y a la surface d'attaque, là pour le coup on est pas des spécialistes de la sécurité, donc je ne pourrais pas te répondre avec précision, mais des discussions que j'ai eu, il semblerait que tout ce qu'on fait, ça réduit la surface d'attaque. Donc oui, probablement ça aide. Par contre, on a pas une approche "sécurité durcie", on développe pas un téléphone pour les pédo(bip) pour qu'ils puissent échapper à la justice. Donc il y a pas des trucs pas possibles pour voir si la mémoire est pas corrompue, des trucs de sécu vraiment durcis qui pourraient être utiles clairement pour des dirigeants, dans les services secrets ou que sais-je. C'est pas notre but, notre but c'est de partir d'un constat, aujourd'hui nos données personnelles sont pillées en permanence et ça serait pas légal dans la vraie vie avec le courrier ou le téléphone, on veut changer ça. Donc on vous fait un produit qui change ça par défaut pour n'importe quelle personne.

GrapheneOS exists to protect users from having their privacy invaded by arbitrary individuals, corporations and states. Privacy depends on security. GrapheneOS heavily improves both privacy and security while providing a high level of usability and near perfect app compatibility.

/e/ has far worse privacy and security than the Android Open Source Project. They fail to keep up with important standard privacy and security patches for Android, Linux, firmware, drivers and HALs. They fail to provide current generation Android privacy and security protections.

GrapheneOS started in 2014 and was originally named CopperheadOS. In late 2015, the Copperhead company was founded which was meant to support the project. Copperhead didn't create CopperheadOS and didn't own or control it. Copperhead made a failed takeover attempt on it in 2018.

GrapheneOS still has the original CopperheadOS repositories on GitHub. Copperhead seized a bunch of the project's infrastructure and accounts. They created a closed source fork of GrapheneOS called CopperheadOS after the split which was not the same CopperheadOS as the original.

Copperhead remained entirely dependent on GrapheneOS and had to keep forking our code for each major Android update. Despite depending on GrapheneOS, they waged a war against it trying to destroy the project and attempting to ruin the lives of our team, especially our founder.

There are at least a dozen people spending at least several hours attacking GrapheneOS across platforms on a daily basis. It's a very strange situation. How do these people have so much time and dedication to keep making posts across platforms attacking us? It's relentless.

Every day, dozens of new accounts join our chat rooms to spread the same fabrications about GrapheneOS including via direct messages.

On Hacker News, one of the accounts making personal attacks based on fabrications in most threads about GrapheneOS has been doing it for 8 years.

Y Combinator (@ycombinator) has a financial stake in numerous surveillance and exploit development companies. Hacker News is a platform they own and the moderators on it have permitted years of vile harassment towards our team which they'd normally remove if others were targeted.

A false narrative is being pushed about GrapheneOS claiming we're ending operations in France due to the actions of 2 newspapers. That's completely wrong. If both newspapers and the overall French media had taken our side instead of extreme bias against us, we'd still be leaving.

We're ending operations in France and ending our use of French companies (mainly OVH) to provide services because of direct quotes by law enforcement in dozens of French news publications. Their inaccurate claims about GrapheneOS and thinly veiled threats were our sign to leave.

French law enforcement hijacked the servers of companies selling secure phones multiple times and is comparing us with those companies. They've made it clear they expect access to phones and will go after us if we do not cooperate. Cooperating with that means adding a backdoor.