Add new RKP root key, also simplify logic a bit

[sethmoo]

1. There's a new RKP root key, as documented at https://developer.android.com/privacy-and-security/security-key-attestation#root_certificate_rotation Add support for this key so that devices using the new root are recognized.
2. Simplify things a bit by relying on a map for key matching instead of using a hand-written linear search of values.

[VisionR1]

Nice.

If you want, can open a PR and there:

https://github.com/VisionR1/KeyAttestation

[sethmoo]

Nice.

If you want, can open a PR and there:

https://github.com/VisionR1/KeyAttestation

That repo appears to be a fork of this one. Given that, my preference is to land the change upstream, then allow fork maintainers rebase.

AFAICT, @vvb2060 is maintaining this and publishing new releases to Play store.

Without taking this patch, devices will soon start seeing "untrusted root" errors which are not correct. Given that, I think the repo owner should be motivated to accept the new root (even if they don't like the rest of my patch 🥲 ).

[VisionR1]

I know is fork, my fork.

Also, is kind abandoned the Google Play version, not update from 2023.

Also and here, is not very active.

Can take your PR and added to my fork ? And give you the credit?

[sethmoo]

Ah, cool. I saw multiple updates in 2025, so I was hoping this repo was still active. I'm happy to port to your fork, I'll get to that later today.

Do you know where the Play Store version of the app comes from?

Ultimately, I'd like the store version of the app updated if at all possible. Some early adopters of the new root are reporting bugs to the RKP team at Google.

[VisionR1]

Yeah, have some as i see, but after quiet again.

Google Play version is the original from here:
https://github.com/vvb2060/KeyAttestation/releases/tag/v1.5.0

I hope @vvb2060 make update here and in the Google Play.

[sethmoo]

Oh nice, the patch seems to apply just fine: VisionR1#6

I expected more divergence, but patches cleanly.

[CornsKernel]

Dear onwer :

When you plan to update version of Google play store?

BTW , we can merge the patch and build it locally ?

Thank you.

[VisionR1]

Dear onwer :

When you plan to update version of Google play store?

BTW , we can merge the patch and build it locally ?

Thank you.

About the merge, yes you can is open source.

Also i have fork this, and have this PR.

[sethmoo]

Dear onwer :
When you plan to update version of Google play store?
BTW , we can merge the patch and build it locally ?
Thank you.

About the merge, yes you can is open source.
Also i have fork this, and have this PR.

Dear VisionR1 ,

Built successfully and can work well , of course ,we also keep your app copyright details , ths very much.

BTW ,where you get the GOOGLE_RKP_ROOT_PUBLIC_KEY ,i cant find it anywhere ? ony ,i read our DUT with cmd the certicate which ends with "....80lQyu9vAF Cj6E4AXc+osmRg==" .

Ths.

Roots are publicly documented here: https://developer.android.com/privacy-and-security/security-key-attestation#root_certificate

EDIT: There's a machine-readable version as well: https://android.googleapis.com/attestation/root. This is linked from the human-readable doc link.

[CornsKernel]

Dear ,

I read the link https://developer.android.com/privacy-and-security/security-key-attestation#root_certificate_rotation ,
and learn that Goolge update the root public key .
Also ,see that "https://github.com/android/keyattestation " roots.json uses Google new root key .

However ,not clear how it maps to Google new root key by "GOOGLE_RKP_ROOT_PUBLIC_KEY" included in Add new RKP root key, also simplify logic a bit , can you help explain ?
BTW ,our local vendor_required_attestation_certificates doesnt add "...uR2zh/80lQyu9vAFCj6E4AXc+osmRg==".

Really thank you .