GrapheneOS AttestationServer Docker
Dockerized deployment of GrapheneOS AttestationServer for local attestation.
Overview
This project provides a containerized setup for running your own GrapheneOS AttestationServer. It includes:
- AttestationServer - The main Java application handling attestations
- Caddy - Reverse proxy with HTTPS support
- SQLite - Local database storage for attestation data
Prerequisites
Before running the server, ensure you have:
- Docker and Docker Compose installed
- TLS certificates for
attestation.appdomain in thecerts/directory:certs/attestation.app.crt- Certificate filecerts/attestation.app.key- Private key file
- DNS or hosts file configuration to resolve
attestation.appto your server
Pre-Launch Setup
1. Prepare TLS Certificates
Place your TLS certificates for attestation.app in the certs/ directory:
certs/attestation.app.crt- Certificatecerts/attestation.app.key- Private key
Note: Certificate generation is up to you. You can use self-signed certificates for local testing or certificates from a trusted CA.
2. Configure DNS or Hosts File
The GrapheneOS Auditor app expects to connect to attestation.app. You must redirect this domain to your local server's IP address.
Option A: Local Machine (hosts file)
Edit your hosts file:
Linux/macOS:
sudo nano /etc/hosts
Windows:
C:\Windows\System32\drivers\etc\hosts
Add the following line (replace 192.168.1.100 with your server's IP):
192.168.1.100 attestation.app
Option B: Network-wide (DNS)
Configure your router or local DNS server (like Pi-hole or AdGuard) to resolve attestation.app to your server's IP address.
Option C: Android Device (root required)
If your Android device is rooted, edit /system/etc/hosts:
su
mount -o remount,rw /system
echo "192.168.1.100 attestation.app" >> /system/etc/hosts
mount -o remount,ro /system
Important: You must configure this on the Android device running the Auditor app, not just the server.
3. Create Data Directory
Ensure the data directory exists for persistent SQLite storage:
mkdir -p data
Running the Server
Build and Start
docker compose up -d --build
This will:
- Build the AttestationServer from source
- Start the attestation service on port 8080 (internal)
- Start Caddy reverse proxy on ports 80 and 443
Check Status
docker-compose ps
docker-compose logs -f
Stop the Server
docker compose down
Stop and Remove All Data
docker compose down -v
rm -rf data/*.db data/*.db-*
Usage
- Ensure your Android device has
attestation.apppointing to your server IP - Install GrapheneOS Auditor app on your Android device
- Open the Auditor app
- The app will connect to your local attestation server instead of the official one
Directory Structure
.
├── certs/ # TLS certificates
│ ├── attestation.app.crt
│ └── attestation.app.key
├── data/ # SQLite databases (persistent)
│ ├── attestation.db
│ └── samples.db
├── Caddyfile # Caddy reverse proxy config
├── Dockerfile # AttestationServer build
├── docker-compose.yml # Service orchestration
├── entrypoint.sh # Container entrypoint
└── process-static-docker.sh # Static file processor
Security Considerations
- Keep your private key (
certs/attestation.app.key) secure and never commit it to version control - The
.gitignorefile excludes sensitive files like certificates and databases - This setup is intended for local/private use only
- For production deployment, use properly signed certificates from a trusted CA
License
This Docker setup follows the same license as the upstream GrapheneOS AttestationServer.