KindnessInfinity

Changes in version 129.0.6668.70.0:

• update to Chromium 129.0.6668.70
• rewrite our change for skipping autofill service compatibility checks to resolve a regression

A full list of changes from the previous release (version 129.0.6668.54.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

No release notes given. Commit history from this release to last release can be viewed here

Pixel 4a (5G), Pixel 5 and Pixel 5a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

We need more people to use the Beta channel and quickly report regressions in the new releases before they reach Stable. If you're using the Alpha or Beta channels, please join the testing chat room on either Matrix, Discord or Telegram and report regressions in new releases. Our public testing process only works if regressions are reported before the release reaches Stable. For releases with urgent compatibility and security fixes, we try to get it through public testing in 24 hours so we need reports of regressions right away. We've moved 5th generation Pixels to legacy extended support around a month early since we're not getting the feedback we would need to have confidence in shipping the next round of multicast leak blocking for them. They're insecure legacy devices regardless.

Tags:

• 2024091900-redfin (Pixel 4a (5G), Pixel 5)
• 2024091900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
• 2024091900-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024091700 release:

• temporarily revert multicast leak blocking firewall due to causing legacy 5th gen devices to lose compatibility with IPv6-only carriers along with causing certain compatibility issues with IPv6 on Wi-Fi
• temporarily revert multicast leak blocking eBPF filter extensions until app compatibility is addressed in a similar way as the Network permission mimics non-security errors

Our latest release blocked a class of VPN leaks via multicast packets discovered by our community. Unfortunately, end-of-life Pixel 4a (5G), Pixel 5 and Pixel 5a have an upstream kernel bug that's causing it to break compatibility with IPv6-only carriers. We're dealing with it.

We're hardly getting any testing feedback for the end-of-life devices which led to this issue slipping into the Stable channel. Our extended support for 5th gen devices will become legacy extended support after Android 15 meaning they won't get these kinds of changes anymore.

Our extended support releases have only ever been planned for the legacy Pixel 5a and earlier with less than 5 years of support from launch. We provide extended support until the first yearly release not supporting them and then switch to a legacy extended support branch.

We likely should have only provided legacy extended support releases via a legacy branch as soon as devices were end-of-life. Extended support encourages people to stick with insecure end-of-life devices and lead to regressions like this but we caught previous ones before Stable.

We're providing one final extended support release for 5th generation Pixels reverting these changes and then they're becoming legacy extended support. This would have happened in October with the stable release of Android 15 regardless, so it makes very little difference.

Separately from this, our multicast leak prevention is causing minor app compatibility issues due to apps trying to use multicast when a VPN is enabled with leak blocking and then not catching the SecurityException which the low-level EPERM error is being converted into for them.

We'll be making a release today reverting our multicast leak prevention for all devices and will begin work fixing the minor app compatibility issues to ship it again.

5th gen will be switched to legacy extended support a few weeks early to work around the old Linux kernel bugs.

Main app compatibility issue is with the DuckDuckGo app's "App Tracking Prevention" feature based on a VPN service. If you use that feature and upgraded to our cancelled 2024091700 release, that's the issue you're having. Likely an app bug, but we'll make sure it works next time.

There may also be compatibility issues with IPv6-only Wi-Fi networks. We're working on resolving this too. We were treating this as security patches and unfortunately we didn't get any reports of any app or network compatibility issues during the 20 hours of public Beta testing.

Pixel 4a (5G), Pixel 5 and Pixel 5a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024091700-redfin (Pixel 4a (5G), Pixel 5)
• 2024091700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
• 2024091700-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024090400 release:

• Sandboxed Google Play compatibility layer: handle the updated client dynamite module initialization sequence
• extend standard Android eBPF filter to prevent apps sending multicast packets outside of the VPN tunnel either directly or separately via kernel-generated multicast traffic (IGMP, MLD) when leak blocking is enabled
• add netfilter-based multicast firewall only permitting sending multicast packets to permitted interfaces for the process to prevent apps sending multicast packets through a disallowed interface such as a VPN tunnel for another profile
• exclude com.android.rkpdapp from backup/restore to avoid breaking key provisioning for hardware key attestation including for Auditor (users can clear RemoteProvisioner system app data via Settings if they restored data for it and have this issue)
• Pixel 9 Fold Pro: temporarily manually add resource overlays not yet automatically handled by adevtool from the stock Pixel OS to use the correct layout for quick settings, status bar, etc. and to provide the split folded/unfolded auto-rotate settings (this will be replaced by adevtool improvements before the end of the month since we'll need it for more resources in Android 15)
• hardened_malloc: fix microdroid virtual machine compatibility by using armv8a+dotprod+memtag when enabling memory tagging instead of armv9+memtag
• init: disable auto-reboot setup for microdroid virtual machines
• expat: backport patches for CVE-2024-28757, CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492 (none of these is exploitable on official GrapheneOS since the DoS bug involves a feature Android doesn't use, the integer overflows require that size_t is 32-bit which is never going to be the case due to the code only being used in 64-bit processes and the negative parameter API issue requires a usage pattern not done by Android, but the integer overflows would be exploitable on an official build for a 32-bit device or a 64-bit device still partially using 32-bit drivers)
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.225
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.165
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.104
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.51
• TalkBack (screen reader): update dependencies
• Vanadium: update to version 128.0.6613.127.0
• Vanadium: update to version 128.0.6613.146.0
• Vanadium: update to version 129.0.6668.54.0
• App Store: update to version 25
• Auditor: update to version 85
• Info: update to version 4
• GmsCompatConfig: update to version 136
• GmsCompatConfig: update to version 137

Changes in version 129.0.6668.54.0:

• update to Chromium 129.0.6668.54

A full list of changes from the previous release (version 128.0.6613.146.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 137:

• update max supported version of Play services to 24.36
• update max supported version of Play Store to 42.7

A full list of changes from the previous release (version 136) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 128.0.6613.146.0:

• update to Chromium 128.0.6613.146

A full list of changes from the previous release (version 128.0.6613.127.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Our Android 15 port is increasingly solid. It can currently be tested by building the OS via https://grapheneos.org/build. Since there aren't stable releases of Android 15 available yet, we currently support using the firmware, etc. from the Pixel Android 15 Beta releases for Pixels.

Changes in version 136:

• update max supported version of Play Store to 42.6
• add stub for BluetoothDevice.setPairingConfirmation()
• update SDK to 35 (Android 15)
• update target API level to 35 (Android 15)

A full list of changes from the previous release (version 135) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 85:

• make remote verification more prominent by moving it to the main screen from the action menu
• use correct theme for attestation activity background color
• add support for Material You
• update NDK to 27.1.12297006
• enable generation of v4 APK signatures to replace fs-verity metadata for updates on Android 15 GrapheneOS

A full list of changes from the previous release (version 84) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS App Store. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS App Store for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

Notable changes in version 25:

• add support for using v4 APK signatures instead of fs-verity metadata on Android 15
• enable generation of v4 APK signatures to replace fs-verity metadata for updates on Android 15 GrapheneOS
• skip system package check for static dependencies self checks
• extend workaround for PackageInstaller sessions getting stuck to newer Android versions
• update AndroidX Lifecycle libraries to 2.8.5
• update AndroidX Navigation KTX libraries to 2.8.0
• update AndroidX Fragment library to 1.8.3
• update AndroidX Activity KTX library to 1.9.2
• update Gradle to 8.10
• update Android Gradle plugin to 8.6.0
• update Kotlin to 2.0.20
• update Kotlin Symbol Processing to 1.0.25

A full list of changes from the previous release (version 24) is available through the Git commit log between the releases.

App Store is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps and Android Auto to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.