Device did not pass attestation (error(s)=[1, 5, 11])

[jonsmirl]

I am really getting tired of seeing this error. Please fix this to give more information so that I can tell why it is failing. This error is coming from GMS code and I can't see what it is doing. This error is interfering with my ability to develop devices.

I flashed three identical devices with the same image. One commissions, two fail with this error. And hour later one of them will commission and the other one still fails. Try again the next day and all thee may fail. It is just random if they succeed or not.

I am using the test certificates.

./mfg_tool.py -cn "Test" -v 0xFFF2 -p 0x8001 --pai \
-k ../../connectedhomeip/connectedhomeip/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Key.pem \
-c ../../connectedhomeip/connectedhomeip/credentials/test/attestation/Chip-Test-PAI-FFF2-8001-Cert.pem \
-cd ../../connectedhomeip/connectedhomeip/credentials/test/certification-declaration/Chip-Test-CD-FFF2-8001.der \

I have complained multiple times on the issue tracker and they just keep closing it.
https://issuetracker.google.com/issues/293901764

It is happening on both my Pixel phone and Samsung tablet. Both fully up to date.

Note that commissioning from Google Home works. It only fails using GHSAFM or my code which is derived from GHSAFM.

2023-08-03 10:44:26.115 11223-11428 native                  com.google.android.gms.ui            I  I0000 00:00:1691073866.115821   11428 chip_logging.cc:17] CHIP: DMG: Received Command Response Data, Endpoint=0 Cluster=0x0000_0030 Command=0x0000_0001
2023-08-03 10:44:26.117 11223-11428 native                  com.google.android.gms.ui            I  I0000 00:00:1691073866.117152   11428 chip_logging.cc:17] CHIP: DMG: ICR moving to [AwaitingDe]
2023-08-03 10:44:26.122 11223-11223 SetupDeviceViewModel    com.google.android.gms.ui            E  Commissioning failed with state Attestation failure. [CONTEXT service_id=336 ]
                                                                                                    m.etd: Device did not pass attestation (error(s)=[1, 5, 11])
                                                                                                    	at m.eui.g(:com.google.android.gms.optional_home@[email protected] (100400-0):509)
                                                                                                    	at m.euc.b(:com.google.android.gms.optional_home@[email protected] (100400-0):13)
                                                                                                    	at m.pko.f(:com.google.android.gms.optional_home@[email protected] (100400-0):14)
                                                                                                    	at m.pst.run(:com.google.android.gms.optional_home@[email protected] (100400-0):114)
                                                                                                    	at android.os.Handler.handleCallback(Handler.java:942)
                                                                                                    	at android.os.Handler.dispatchMessage(Handler.java:99)
                                                                                                    	at android.os.Looper.loopOnce(Looper.java:226)
                                                                                                    	at android.os.Looper.loop(Looper.java:313)
                                                                                                    	at android.app.ActivityThread.main(ActivityThread.java:8757)
                                                                                                    	at java.lang.reflect.Method.invoke(Native Method)
                                                                                                    	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:571)
                                                                                                    	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1067)
2023-08-03 10:44:26.123 11223-11223 BleScanner              com.google.android.gms.ui            I  Disconnecting and closing Bluetooth GATT connection. [CONTEXT service_id=336 ]
2023-08-03 10:44:26.124 11223-11223 BluetoothGatt           com.google.android.gms.ui            D  cancelOpen() - device: DE8404_7
2023-08-03 10:44:26.129 11223-11263 IMGMapper               com.google.android.gms.ui            E  set:488 set: Unset optional value from type SMPTE2086
2023-08-03 10:44:26.129 11223-11263 IMGMapper               com.google.android.gms.ui            E  set:488 set: Unset optional value from type CTA861_3
2023-08-03 10:44:26.133 11223-11223 BluetoothGatt           com.google.android.gms.ui            D  close()
2023-08-03 10:44:26.135 11223-11428 BluetoothGatt           com.google.android.gms.ui            D  onClientConnectionState() - status=0 clientIf=5 device=DE8404_7
2023-08-03 10:44:26.137 11223-11223 BluetoothGatt           com.google.android.gms.ui            D  unregisterApp() - mClientIf=5
2023-08-03 10:44:26.145 11223-11223 SetupDeviceChimeraActiv com.google.android.gms.ui            E  Showing error status. [CONTEXT service_id=336 ]
                                                                                                    m.gds: Device did not pass attestation (error(s)=[1, 5, 11])
                                                                                                    	at m.gkx.a(:com.google.android.gms.optional_home@[email protected] (100400-0):403)
                                                                                                    	at m.pzj.a(:com.google.android.gms.optional_home@[email protected] (100400-0):84)
                                                                                                    	at m.qbo.a(:com.google.android.gms.optional_home@[email protected] (100400-0):1)
                                                                                                    	at m.qbn.a(:com.google.android.gms.optional_home@[email protected] (100400-0):144)
                                                                                                    	at m.ejl.b(:com.google.android.gms.optional_home@[email protected] (100400-0):352)
                                                                                                    	at m.pko.f(:com.google.android.gms.optional_home@[email protected] (100400-0):14)
                                                                                                    	at m.pst.run(:com.google.android.gms.optional_home@[email protected] (100400-0):114)
                                                                                                    	at android.os.Handler.handleCallback(Handler.java:942)
                                                                                                    	at android.os.Handler.dispatchMessage(Handler.java:99)
                                                                                                    	at android.os.Looper.loopOnce(Looper.java:226)
                                                                                                    	at android.os.Looper.loop(Looper.java:313)
                                                                                                    	at android.app.ActivityThread.main(ActivityThread.java:8757)
                                                                                                    	at java.lang.reflect.Method.invoke(Native Method)
                                                                                                    	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:571)
                                                                                                    	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1067)
                                                                                                    Caused by: m.etd: Device did not pass attestation (error(s)=[1, 5, 11])
                                                                                                    	at m.eui.g(:com.google.android.gms.optional_home@[email protected] (100400-0):509)
                                                                                                    	at m.euc.b(:com.google.android.gms.optional_home@[email protected] (100400-0):13)
                                                                                                    	at m.pko.f(:com.google.android.gms.optional_home@[email protected] (100400-0):14) 
                                                                                                    	at m.pst.run(:com.google.android.gms.optional_home@[email protected] (100400-0):114) 
                                                                                                    	at android.os.Handler.handleCallback(Handler.java:942) 
                                                                                                    	at android.os.Handler.dispatchMessage(Handler.java:99) 
                                                                                                    	at android.os.Looper.loopOnce(Looper.java:226) 
                                                                                                    	at android.os.Looper.loop(Looper.java:313) 
                                                                                                    	at android.app.ActivityThread.main(ActivityThread.java:8757) 
                                                                                                    	at java.lang.reflect.Method.invoke(Native Method) 
                                                                                                    	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:571) 
                                                                                                    	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1067) 
2023-08-03 10:44:26.146 11223-11223 OnBackInvokedCallback   com.google.android.gms.ui            W  OnBackInvokedCallback is not enabled for the application.
                                                                                                    Set 'android:enableOnBackInvokedCallback="true"' in the application manifest.
2023-08-03 10:44:26.157 11223-11263 IMGMapper               com.google.android.gms.ui            E  set:488 set: Unset optional value from type SMPTE2086
2023-08-03 10:44:26.157 11223-11263 IMGMapper               com.google.android.gms.ui            E  set:488 set: Unset optional value from type CTA861_3
2023-08-03 10:44:26.163 11223-11223 ScrollView              com.google.android.gms.ui            D  initGoToTop

[pierredelisle]

Hey Jon, sorry to hear about the aggravation on this issue. Asking someone on our eng team to have a look.

[jonsmirl]

This appears to be another variation of the same problem.
#154

[jonsmirl]

Back to attestation failing this morning.

2023-08-11 10:17:02.146 16587-16812 native                  com.google.android.gms.ui            I  I0000 00:00:1691763422.146454   16812 chip_logging.cc:17] CHIP: DMG: ICR moving to [AwaitingDe]
2023-08-11 10:17:02.150 16587-16587 SetupDeviceViewModel    com.google.android.gms.ui            E  Commissioning failed with state Attestation failure. [CONTEXT service_id=336 ]
                                                                                                    m.etx: Device did not pass attestation (error(s)=[1, 5, 11])
                                                                                                    	at m.evc.g(:com.google.android.gms.optional_home@[email protected] (100400-0):496)
                                                                                                    	at m.euw.b(:com.google.android.gms.optional_home@[email protected] (100400-0):13)
                                                                                                    	at m.psf.bG(:com.google.android.gms.optional_home@[email protected] (100400-0):14)
                                                                                                    	at m.qai.run(:com.google.android.gms.optional_home@[email protected] (100400-0):114)
                                                                                                    	at android.os.Handler.handleCallback(Handler.java:942)
                                                                                                    	at android.os.Handler.dispatchMessage(Handler.java:99)
                                                                                                    	at android.os.Looper.loopOnce(Looper.java:226)
                                                                                                    	at android.os.Looper.loop(Looper.java:313)
                                                                                                    	at android.app.ActivityThread.main(ActivityThread.java:8757)
                                                                                                    	at java.lang.reflect.Method.invoke(Native Method)
                                                                                                    	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:571)
                                                                                                    	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1067)
2023-08-11 10:17:02.151 16587-16587 BleScanner              com.google.android.gms.ui            I  Disconnecting and closing Bluetooth GATT connection. [CONTEXT service_id=336 ]

[jonsmirl]

Now the same device passed attestation. There is no pattern to these failures.

[pierredelisle]

Jon, do you have a project created for your test device?

Also, could you try to reproduce with this tool: https://developers.home.google.com/matter/tools/virtual-device?hl=en

This way I'd be able to test with the same environment on my side and help investigate.

[jonsmirl]

I have a project with all of the test IDs added.

What does this error mean? attestation (error(s)=[1, 5, 11])

The error comes and goes on a device which has not been changed. Does this attestation chain onto a server at the CSA? Is that server going up and down?

Another idea, is Google running multiple instances of the attestation checker? Maybe all of those instances are getting updated synchronously? one may be working ok, and another is not, and I randomly connect to them.

[pierredelisle]

Attestation errors are the following:

1: DEVICE_ATTESTATION_VALIDATION_ERROR_TYPE_INVALID_NONCE (fatal error)
5: DEVICE_ATTESTATION_VALIDATION_ERROR_TYPE_CHAINED_TO_VALID_TEST_PAA_CERT (info)
11: DEVICE_ATTESTATION_VALIDATION_ERROR_TYPE_CHAINED_TO_VALID_TEST_CD_CERT (info)

I've filed an issue so that enum names be shown on the logs instead of the enum int codes.

[jonsmirl]

Where does this nonce come from? I am not making it in my code.

[jonsmirl]

I don't really know how to debug this. The GPS library commissions my device twice. First time sets in the wifi credentials, the second time is my request. I would guess it is verifying attestation on both of the commissions, so why does the first one pass and the second one fail? Also, why is it intermittent? I can have a device fail for a few hours and then start working.

I don't have the certificates wrong, because if they were wrong it would never work. Also, I can't generate these certificates anyway because I don't have access to the CHIP certificate authority, all I can do is use the ones provided in the SDK.

[jonsmirl]

I really don't know what is going on with this. I had a device fail 20 times. Went to a meeting, came back to debug and it works.

[jonsmirl]

What does Error Code 4 mean on this failure?

Error 1, the nonce failure only happens on Samsung devices. I never get it on Pixel devices.

There really should be a way in the GMS API to tell the library to ignore attestation failures if you have these (the TEST certificates):

5: DEVICE_ATTESTATION_VALIDATION_ERROR_TYPE_CHAINED_TO_VALID_TEST_PAA_CERT (info)
11: DEVICE_ATTESTATION_VALIDATION_ERROR_TYPE_CHAINED_TO_VALID_TEST_CD_CERT (info)

Then it should turn associated errors into warnings, not a fatal errors.

It is also annoying that I can bypass this problem by commissioning the device first in Google Home and then sharing it to my app. Google Home does not complain about my attestation certificate.

[jonsmirl]

Much later I figured out that this problem was due to testing on a Samsung device. After I switched to a Pixel device it went away and I forgot about it. I have not gone back and checked if GHSAFM now works on Samsung.

Note --- this is probably because Samsung was working on Smarthings Matter support and they interfered with Google Home Matter support. Likely need to add continuous regression testing on Samsung devices.