Fairphone 6 with official build does not pass integrity checks

Hello,

I have several issues on my Fairphone 6 I’ve flashed to /e/os. I’ve used the official image and locked the bootloader.
I cannot do sensible operation through my bank (Crédit Mutuel) because it needs Google notifications (sadly). I thought microG through Cloud Messaging would do that.
For work, I need Microsoft Authenticator, I do not receove notificationw as well. It’s ok because I can check it manually but still surprising.
I cannot use France identité at all, it is a recuring issue, but on an official build with locked bootloader seems to work for many.
I can’t use MAIF application, I assume because I have a big warn that says my phone is insecure

When trying to investigate, I noticed the fairphone has only MEETS_BASIC_INTEGRITY on an integrity check

10000015091116×2484 72 KB

And I cannot generate a Key attestation, I have the error :
This device does not support key attestation or the trusted environment on this device is broken.
Solution: Consult the device manufacturer whether the device supports key attestation function and the destruction conditions of the trusted environment, such as unlocking the bootloader.

Detailed messages:
java.security.ProviderException: Failed to generate key pair.
android.security.KeyStoreException: -49 (internal Keystore code: -49 message: system/security/keystore2/src/security_level.rs:680 Caused by: 0: system/security/keystore2/src/security_level.rs:674: While generating without a provided attestation key and params: [KeyParameter { tag: r#KEY_SIZE, value: Integer(256) }, KeyParameter { tag: r#ALGORITHM, value: Algorithm(r#EC) }, KeyParameter { tag: r#EC_CURVE, value: EcCurve(r#P_256) }, KeyParameter { tag: r#PURPOSE, value: KeyPurpose(r#SIGN) }, KeyParameter { tag: r#DIGEST, value: Digest(r#NONE) }, KeyParameter { tag: r#DIGEST, value: Digest(r#SHA_2_256) }, KeyParameter { tag: r#NO_AUTH_REQUIRED, value: BoolValue(true) }, KeyParameter { tag: r#ACTIVE_DATETIME, value: DateTime(1752040840336) }, KeyParameter { tag: r#ORIGINATION_EXPIRE_DATETIME, value: DateTime(1752041840336) }, KeyParameter { tag: r#USAGE_EXPIRE_DATETIME, value: DateTime(1752042840336) }, KeyParameter { tag: r#CERTIFICATE_NOT_AFTER, value: DateTime(2461449600000) }, KeyParameter { tag: r#CERTIFICATE_NOT_BEFORE, value: DateTime(0) }, KeyParameter { tag: r#CERTIFICATE_SERIAL, value: Blob([1]) }, KeyParameter { tag: r#CERTIFICATE_SUBJECT, value: Blob([48, 31, 49, 29, 48, 27, 6, 3, 85, 4, 3, 19, 20, 65, 110, 100, 114, 111, 105, 100, 32, 75, 101, 121, 115, 116, 111, 114, 101, 32, 75, 101, 121]) }, KeyParameter { tag: r#ATTESTATION_CHALLENGE, value: Blob([87, 101, 100, 32, 74, 117, 108, 32, 48, 57, 32, 48, 56, 58, 48, 48, 58, 52, 48, 32, 71, 77, 84, 43, 48, 50, 58, 48, 48, 32, 50, 48, 50, 53]) }, KeyParameter { tag: r#ATTESTATION_ID_BRAND, value: Blob([70, 97, 105, 114, 112, 104, 111, 110, 101]) }, KeyParameter { tag: r#ATTESTATION_ID_DEVICE, value: Blob([70, 80, 54]) }, KeyParameter { tag: r#ATTESTATION_ID_PRODUCT, value: Blob([108, 105, 110, 101, 97, 103, 101, 95, 70, 80, 54]) }, KeyParameter { tag: r#ATTESTATION_ID_MANUFACTURER, value: Blob([70, 97, 105, 114, 112, 104, 111, 110, 101]) }, KeyParameter { tag: r#ATTESTATION_ID_MODEL, value: Blob([70, 97, 105, 114, 112, 104, 111, 110, 101, 32, 54]) }, KeyParameter { tag: r#CREATION_DATETIME, value: DateTime(1752040840372) }, KeyParameter { tag: r#ATTESTATION_APPLICATION_ID, value: Blob([48, 78, 49, 40, 48, 38, 4, 32, 105, 111, 46, 103, 105, 116, 104, 117, 98, 46, 118, 118, 98, 50, 48, 54, 48, 46, 107, 101, 121, 97, 116, 116, 101, 115, 116, 97, 116, 105, 111, 110, 2, 2, 0, 132, 49, 34, 4, 32, 31, 101, 14, 196, 16, 62, 60, 202, 173, 248, 202, 226, 10, 129, 105, 59, 145, 119, 238, 164, 168, 243, 94, 160, 224, 174, 20, 235, 250, 114, 196, 249]) }]. 1: Error::Km(r#SECURE_HW_COMMUNICATION_FAILED))

And safetynet test fails :

10000015101116×2484 105 KB

However, for Microg everything is fine :

10000015111116×2484 172 KB

I don’t know if I’m the only one, if I should reinstall /e/os, if this is a bug, if it is just complex to match all those requirements.

Probably better to install fairphone stock android ;- )

• have you tried factory reset? Which eOS version installed?
• have you activated all mircroG options and added Google credentials?

@Manoj Can you please check forum device topic, seems messed up

I chose /e/os because I don’t like Google and don’t want to depend on it (I was using iOS before just for this reason). It’s just I’ve searched a little on these issues and I’m surprised that it doesn’t work on a fairphone 6 with official release, given that it works for a lot of/e/os user.

I haven’t tried yet to reset the phone, I’d like to know if it works for some users before reinstalling everything for nothing.

I use 3.0.2-a15-20250627504414-official-FP6 and all microg options are activated. I’ve connected a google account on Microg, probably try to remove the account if can once everything’s set.

I’m technical but new to Android, so I try to understand how everything is related and what tradeoff there is using /e/os on different apps

You discovered many of the things which crop up for /e/OS users. I do not think you made significant mistakes in your analysis.

Many come to /e/OS with a strong aversion to anything Google and are happy to work around handicaps of using a Google built system with Google removed. It will not be fully auto magical there will be things which don’t work.

I can see this difficult to come to terms with when your first experience is an expensive new phone but wish you good luck in your journey.

Ok fine, I can get around for some of them, however for integrity checks, I thought microG was supposed to do the work.
I understand well for Google notifications that if the app have no fallback, it just won’t work. It’s just a choice of wether I want Goovle to receive my bank notifications…

MicroG does not emulate all Google Play services. It does enough to use all but a few Google Play apps. You can even buy apps provided you have a payment method set up in your Google account. However some apps will only run on an OEM version of Android. The option is to conform to the app or possibly gain access to your bank through a web browser. I know I can do that with my bank in USA. I don’t have to use an app, a web browser can do the same thing, but It depends on the bank.

I solved some issues, I enabled the option on microG to ask me before an app could register with Cloud Messaging. And it did trigger something and a lot of apps asked me to register. I then reinstalled my banking app and I could enable everything for sensitive operations. I do rely on Google, but my bank notifications are just to confirm operations, there is no sensitive data in notifications, that’s an acceptable compromise.
I’m still surprised to not have integrity checks passing, I saw a lot of users in this forum that could install apps like France Identité on previous Fairphone versions, which requires integrity checks to pass and key attestation to work. Given the collaboration between /e/os and because they succeeded in previous Fairphone versions, I thought they found a way to make it work, but maybe devs still have issues to fix or the hardware is different and does not allow it or Google changed something and it is not working anymore.

I see that you posted here Signature of the Calendar app does not match - #10 by Pato it seems to me that this build is at least “ususual” … whatever the unusuality turns out to be … it could account for other teething problems which I would not want to speculate on without the device.