kd4e I think there are two incompatible versions of signify out there, and I faintly recall that the BSD variant may be the expected one.

  • kd4e replied to this.

    de0u I noticed a BSD variant in the MX Linux repository.
    Are you saying that instead of using the apt get signify version, linked from the GrapheneOS installation instructions - I should install the BSD version from the MX Linux repository?

      kd4e Are you saying that instead of using the apt get signify version, linked from the GrapheneOS installation instructions - I should install the BSD version from the MX Linux repository?

      I just looked and am not seeing information about which signify to use on the installation pages I skimmed. Which instructions are you referring to?

      • kd4e replied to this.

        de0u
        It was generated when I ran this ...

        $ curl -O https://releases.grapheneos.org/allowed_signers.sig
        signify -V -m allowed_signers -x allowed_signers.sig -p factory.pub
          % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                         Dload  Upload   Total   Spent    Left  Speed
        100   144  100   144    0     0    688      0 --:--:-- --:--:-- --:--:--   692
        Command 'signify' not found, but can be installed with:
        sudo apt install signify
        • de0u replied to this.
          • Edited

          kd4e Command 'signify' not found, but can be installed with: sudo apt install signify

          That message is not "linked from" the GrapheneOS installation instructions. That message is from your shell's "command not found" handler, which has no idea which version of a program is the right one.

          I hopped into my time machine and found old GrapheneOS information on which signify to use: https://web.archive.org/web/20210402204222/https://grapheneos.org/install/cli#obtaining-signify

          • kd4e replied to this.

            de0u Cool, thanks - I thought that was generated by grapheneos - always something new to learn!

            OK, I uninstalled the version of signify I had installed and installed the bsd version instead (not terribly intuitive but I'm fond of OpenBSD, so there's that). :-)

            Unfortunately, I now get this new error ...

            $ curl -O https://releases.grapheneos.org/allowed_signers.sig
            signify -V -m allowed_signers -x allowed_signers.sig -p factory.pub
              % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                             Dload  Upload   Total   Spent    Left  Speed
            100   144  100   144    0     0    436      0 --:--:-- --:--:-- --:--:--   437
            bash: /usr/bin/signify: No such file or directory
            • de0u replied to this.

              kd4e bash: /usr/bin/signify: No such file or directory

              It sounds as if the package installed the program using a different name or in a different directory, in which case you may need to edit the command appropriately.

              Or... I suspect the web installer does this automatically. Has that been tried?

                de0u Does the WebUSB installer require systemd to be present?

                I'm using a non-systemd version of MX Linux.

                  • Edited

                  de0u

                  you must use /usr/bin/signify-openbsd

                  or set an alias:
                  alias signify='signify-openbsd'

                  Hope this helps.

                  • [deleted]

                  • Edited

                  kd4e I believe you should be using OpenSSH to verify the image, not signify. They switched from signify to OpenSSH

                  Install OpenSSH
                  sudo apt install openssh-client

                  Obtain the Key
                  curl -O https://releases.grapheneos.org/allowed_signers

                  Obtain the Image and Sig File
                  curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-VERSION.zip
                  curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-VERSION.zip.sig

                  Verify the Image
                  ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-factory-VERSION.zip.sig < DEVICE_NAME-factory-VERSION.zip

                  This is the new (OpenSSH) key,

                  contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE

                  You can either verify it by cross referencing with their posts on their socials (links in the install guide) or use their old (signify) key to verify their new (OpenSSH) key (which is what you're trying to do). You would need their old signify key to do that. They signed their new (OpenSSH) key with their old (signify) so you can verify the new OpenSSH key. The new images are signed via OpenSSH not signify.

                  The current public key is signed with the previous signify key. If you already have the previous signify public key (factory.pub) and want to verify the new key with it:

                  • kd4e replied to this.

                    [deleted] Awesome, thanks!
                    I got this far, then ...

                    $ ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-factory-VERSION.zip.sig < DEVICE_NAME-factory-VERSION.zip
                    Couldn't parse signature: missing header
                    sig_verify: sshsig_armor: invalid format
                    Could not verify signature.

                    [deleted] Thanks!

                    Is it OK if I just download the .zip and .zip.sig from here via my browser?

                    • kd4e replied to this.
                      • Edited

                      kd4e All good it seems ...

                      "Good "factory images" signature for contact@grapheneos.org with ED25519 key SHA256"

                      Oh, wait, the actual key isn't at all the same as that one. But it says "Good".

                      I'm confused ...

                      kd4e I noticed a BSD variant in the MX Linux repository.

                      Debian 12 (bookworm) from my install log according to the GrapheneOS CLI guide 11.12.2023:
                      (looks like the guide has changed a bit and now uses open-ssh instead of signify)

                      ~$ sudo apt install signify-openbsd
                      ~$ alias signify=signify-openbsd
                      ~$ curl -O https://releases.grapheneos.org/factory.pub
                      ~$ curl -O https://releases.grapheneos.org/shiba-factory-2023120800.zip
                      ~$ curl -O https://releases.grapheneos.org/shiba-factory-2023120800.zip.sig
                      ~$ signify -Cqp factory.pub -x shiba-factory-2023120800.zip.sig && echo verified
                      ~$ bsdtar xvf shiba-factory-2023120800.zip
                      • kd4e replied to this.

                        boldsuck OK, mine is "lynx-factory-2024053100" for a Pixel 7a.

                        So, this?

                        ~$ signify -Cqp factory.pub -x lynx-factory-202405310.zip.sig && echo verified

                          kd4e No, you no longer need signify to verify the factory images. This is now done with OpenSSH as u/Space already wrote. (openssh-client should be installed on every Unix & Linux by default)

                          The current public key is signed with the previous signify key. If you already have the previous signify public key (factory.pub) and want to verify the new key with it:

                          curl -O https://releases.grapheneos.org/allowed_signers.sig
                          signify -V -m allowed_signers -x allowed_signers.sig -p factory.pub

                          When the current signing key is replaced, the new key will be signed with it.

                          If you don't have the previous signify public key, you can skip this section. Signify is only used to compare the old key with the new one.

                          • kd4e replied to this.

                            boldsuck

                            OK, so I did this ...

                            Verify the Image

                            ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-factory-VERSION.zip.sig < DEVICE_NAME-factory-VERSION.zip

                            Got this (plus a long key string) ...

                            Good "factory images" signature for contact@grapheneos.org with ED25519 key SHA256

                            But that key is not the same as this ...

                            contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE

                              boldsuck

                              The key that I'm getting is different than the one on github.

                              I'm not sure why support is being scattered across so many different social media systems, rather than just one, it seems counter-intuitive to fragment the information. Sigh.

                              I see that Chat via the Thunderbird email is one alternative - at least I don't have to add yet another app. (I had no idea Thunderbird even had a Chat feature.)

                              I'll give it a try. I'd rather ask first than plow ahead, make a mess, then have to undo the mess and start over.

                              Thanks.

                                kd4e The chat rooms are bridged across Discord, Telegram and Matrix.
                                Just click onGeneral:grapheneos.org, Matrix/Element starts in every browser.