Ty. Saving others some time:

Contactless payments work fine on GrapheneOS. It’s not like there’s something fundamentally incompatible about them. It just so happens that the most prevalent implementation (Gpay) requires a Google certified OS. The options right now are as follows:

People find alternatives (such as their bank) which provide this without using Gpay and don’t require a certified OS themselves.

This is implemented, which would at least temporarily allow people to use apps that require a certified OS on GrapheneOS: https://github.com/GrapheneOS/os-issue-tracker/issues/1986

Apps currently requiring a Google certified OS whitelist it as per https://grapheneos.org/articles/attestation-compatibility-guide (though it is of course very unlikely that Google themselves would do this)

But:

Barclays in the UK is only one example of contactless payments working without Google Pay, there are other banks in France for example for which we’ve had reports of similar contactless payment systems working. They exist; though I’m under no illusions that they’re prevalent, since I imagine from their POV, implementing Google Pay is much easier and maintainable.

On the spoofing CTS checks thing, I did not mean to insinuate that you or some other user would be the one to implement this. When I said “an option is for this to be implemented”, I meant the development team adding it to GrapheneOS. The issue is currently open and was opened by someone on the development team, so it’s not a feature that the team has ruled out. As with everything on GrapheneOS, though, the best way to approach it has to be determined, which can take time.

On your 3rd point, lobbying Google to whitelist GrapheneOS by using that guide is realistically never going to happen. Other OEMs that have to go through certification and pass CTS (compatibility test suite) which GrapheneOS doesn’t (because it adds things like new permissions which deviate from the compatibility goals that Android has set) would be outraged if that ever happened. In fact, I would wager that it would be a much more realistic scenario for someone to invest millions into funding a company that provides an alternative to Google Pay without puttng it behind a CTS check, rather than Google ever whitelisting GrapheneOS.

When someone says “contactless payments don’t work on GrapheneOS”, it’s not immediately clear to everyone that what is meant by that is “there aren’t good options for people to use right now” and I wouldn’t want someone to think that contactless payments are fundamentally incompatible with GrapheneOS, or that it breaks them somehow. Contactless payments via Gpay on GrapheneOS don’t work as of right now for the exact same reason why the McDonalds app in some countries (I kid you not) doesn’t. SafetyNet / Play Integrity API and their ctsProfileMatch and MEETS_DEVICE_INTEGRITY checks accordingly.