Upcoming Change: New certificate chain in the API response signature

[SafetyNet API Clients]

Hi everyone,

The SafetyNet Attestation API response contains a signature to guarantee the payload wasn't modified since it was generated on Google servers.

Starting July 2021, the response signature will use a new certificate chain. This change only affects the response signature. The response payload (basicIntegrity, ctsProfileMatch, evaluationType, etc) will remain unchanged.

To ensure uninterrupted service, please check that your server-side logic can correctly verify the signature of the attached sample response. Note that the payload will indicate a compromised device (i.e. basicIntegrity is false). You can ignore that: the goal is to verify the signature.

If your server code does not currently check the response signature, now is a good time to add this functionality, and you can use the code samples provided. By checking the signature, your server code will detect if someone tries to modify the response payload.

The new certificate chain will be silently rolled out in July 2021. If you have questions please get in touch.

Best regards,
The SafetyNet API Clients Team

[SafetyNet API Clients]

Greetings everyone!

We are starting to gradually roll out the new certificate chain.

You may start seeing the first responses using the new certificate chain tomorrow.

If you have questions please get in touch.

Best regards,
The SafetyNet API Clients Team