I was reading this and this docs and we have are not completely sure about one thing

Once we build our apps, how do we know that the app is running the exact code that we write? I mean how the apps that are connecting each other, can verify this info?

Maybe is a dump question, something we are missing

Thanks in advance!

That's a good question. And I apologize for not including the details in the above mentioned documents.

Generally Mystikos offers two defense lines for protection against tampering of your built application:

1. Launch protection: the myst command takes a roothash option when the rootfs is of ext2fs. This will ensure the ext2fs (and everything included in it) is not tampered. Similarly the command takes a pubkey option for the ext2fs so that any ext2fs signed by unauthorized parties are not able to launch with the myst exec-sgx --pubkey <authorized-keys> command.

2. Attestation protection: even if the hacker is able to manipulate the myst command and launched the tampered application, the attestation report would bear the hash value (derived from dmverity) or the public key from the tampered version. Therefore this attestation report would fail to pass the verification of a remote relying party that checks those values, and the malicious app won't be able to get any secrets.

Hi @jxyang, Thanks as always for your great response 🙏 It's clear for me, but in case my mates have any doubt I will post it over here, thanks!!!