Can fydeOS provide world class level of trust to users? when and why not?

About the question you’re submitting

Have you searched the community for a relevant issue? (use “x” to select)

[x] No similar issues found

Detailed description

  1. Clearly state your question(s)
    A: Can fydeos be provided /w android’s safetynet pass by google + secureboot signed by microsoft?

  2. Provide specific configuration and firmware version details
    CPU:
    GPU:
    RAM & Storage:
    FydeOS Version:

  3. Include detailed logs
    To obtain the logs, enter /var/log/messages in the Chromium browser and locate the relevant log fragment. Copy and paste it here.
    Logs:

hi,
it turns out fydeos running on celeron windows tablet outperforms CrOS on arm CPUs, and with dual boot it allow more applications available to users.

however, why dont fydeos provide the same level of trust to users as other OS?

I was told fydeos is working with android’s safetynet pass, good.
but that’s only for the android subsystem.

for the chromiumOS itself, i say i’ll wish for what chromeOS flex did: signed by microsoft for secureboot.

safetynet from google + signed for secureboot from microsoft will make me feel comfort.

this is feasible, technically.

thanks

ps: chromeos flex do was signed by microsoft to use with secureboot.
yet i dont know what deals they have under the table.

fyi:
ChromeOS Flex images are signed and verified so that the built-in Secure Boot system in recent UEFI-enabled models can verify a ChromeOS Flex image during startup. Secure Boot checks that the ChromeOS Flex image is from a known source—Google.

[

Deployment best practices - ChromeOS Flex Help

[image]
Google
https://support.google.com › chromeosflex › answer
](https://support.google.com/chromeosflex/answer/12024393?hl=en#:~:text=ChromeOS%20Flex%20images%20are%20signed,from%20a%20known%20source—Google.)

Sorry, we have no plans to provide the services you mentioned in the public releases as to why; simply put, it costs money and is not a technical issue. If you’re not comfortable with that, please use another system you’re satisfied with, and you can do without the public releases of FydeOS; thank you.

ok, other foss software like veracrypt use PGP key,
which cost NO MONEY.

i am ok with that.

how about that?

VeraCrypt

Documentation >> Miscellaneous >> Digital Signatures

Digital Signatures

Why Verify Digital Signatures

It might happen that a VeraCrypt installation package you download from our server was created or modified by an attacker. For example, the attacker could exploit a vulnerability in the server software we use and alter the installation packages stored on the server, or he/she could alter any of the files en route to you.

Therefore, you should always verify the integrity and authenticity of each VeraCrypt distribution package you download or otherwise obtain from any source. In other words, you should always make sure that the file was created by us and it was not altered by an attacker. One way to do so is to verify so-called digital signature(s) of the file.

Types of Digital Signatures We Use

We currently use two types of digital signatures:

  • PGP signatures (available for all binary and source code packages for all supported systems).
  • X.509 signatures (available for binary packages for Windows).

Advantages of X.509 Signatures

X.509 signatures have the following advantages, in comparison to PGP signatures:

  • It is much easier to verify that the key that signed the file is really ours (not attacker’s).
  • You do not have to download or install any extra software to verify an X.509 signature (see below).
  • You do not have to download and import our public key (it is embedded in the signed file).
  • You do not have to download any separate signature file (the signature is embedded in the signed file).

Advantages of PGP Signatures

PGP signatures have the following advantages, in comparison to X.509 signatures:

  • They do not depend on any certificate authority (which might be e.g. infiltrated or controlled by an adversary, or be untrustworthy for other reasons).

How to Verify X.509 Signatures

Please note that X.509 signatures are currently available only for the VeraCrypt self-extracting installation packages for Windows. An X.509 digital signature is embedded in each of those files along with the digital certificate of the VeraCrypt Foundation issued by a public certification authority. To verify the integrity and authenticity of a self-extracting installation package for Windows, follow these steps:

  1. Download the VeraCrypt self-extracting installation package.
  2. In the Windows Explorer, click the downloaded file (‘VeraCrypt Setup.exe’) with the right mouse button and select ‘Properties’ from the context menu.
  3. In the Properties dialog window, select the ‘Digital Signatures’ tab.
  4. On the ‘Digital Signatures’ tab, in the ‘Signature list’, double click the line saying “IDRIX” or “IDRIX SARL”.
  5. The ‘Digital Signature Details’ dialog window should appear now. If you see the following sentence at the top of the dialog window, then the integrity and authenticity of the package have been successfully verified:

This digital signature is OK.

If you do not see the above sentence, the file is very likely corrupted. Note: On some obsolete versions of Windows, some of the necessary certificates are missing, which causes the signature verification to fail.

How to Verify PGP Signatures

To verify a PGP signature, follow these steps:

  1. Install any public-key encryption software that supports PGP signatures. For Windows, you can download Gpg4win. For more information, you can visit https://www.gnupg.org/.
  2. Create a private key (for information on how to do so, please see the documentation for the public-key encryption software).
  3. Download our PGP public key from IDRIX website (https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc) or from a trusted public key repository (ID=0x680D16DE), and import the downloaded key to your keyring (for information on how to do so, please see the documentation for the public-key encryption software). Please check that its fingerprint is 5069A233D55A0EEB174A5FC3821ACD02680D16DE.
  1. Sign the imported key with your private key to mark it as trusted (for information on how to do so, please see the documentation for the public-key encryption software).

Note: If you skip this step and attempt to verify any of our PGP signatures, you will receive an error message stating that the signing key is invalid.
5. Download the digital signature by downloading the PGP Signature of the file you want to verify (on the Downloads page).
6. Verify the downloaded signature (for information on how to do so, please see the documentation for the public-key encryption software).

Under Linux, these steps can be achieved using the following commands:

  • Check that the fingerprint of the public key is 5069A233D55A0EEB174A5FC3821ACD02680D16DE:gpg --import --import-options show-only VeraCrypt_PGP_public_key.asc (for older gpg versions, type instead: gpg --with-fingerprint VeraCrypt_PGP_public_key.asc)
  • If the fingerprint is the expected one, import the public key: gpg --import VeraCrypt_PGP_public_key.asc
  • Verify the signature of the Linux setup archive (here for version 1.23): gpg --verify veracrypt-1.23-setup.tar.bz2.sig veracrypt-1.23-setup.tar.bz2

putting a file on dropbox to let others download ruin the image of an organization, esp without any digital certs, or PGP signature.

it’s like some company dont have it’s own domain for email server, and ask you send email to gamil.com.

We believe that the current state of the public releases is sufficient for most individual users. If you are not satisfied, you can switch to another product. We have given you enough responses on this topic and will not respond again.