Signify Error
[deleted]
- Edited
kd4e I believe you should be using OpenSSH to verify the image, not signify. They switched from signify to OpenSSH
Install OpenSSH
sudo apt install openssh-client
Obtain the Key
curl -O https://releases.grapheneos.org/allowed_signers
Obtain the Image and Sig File
curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-VERSION.zip
curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-VERSION.zip.sig
Verify the Image
ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-factory-VERSION.zip.sig < DEVICE_NAME-factory-VERSION.zip
This is the new (OpenSSH) key,
contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE
You can either verify it by cross referencing with their posts on their socials (links in the install guide) or use their old (signify) key to verify their new (OpenSSH) key (which is what you're trying to do). You would need their old signify key to do that. They signed their new (OpenSSH) key with their old (signify) so you can verify the new OpenSSH key. The new images are signed via OpenSSH not signify.
The current public key is signed with the previous signify key. If you already have the previous signify public key (factory.pub) and want to verify the new key with it:
[deleted] Awesome, thanks!
I got this far, then ...
$ ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-factory-VERSION.zip.sig < DEVICE_NAME-factory-VERSION.zip
Couldn't parse signature: missing header
sig_verify: sshsig_armor: invalid format
Could not verify signature.
- Edited
kd4e All good it seems ...
"Good "factory images" signature for contact@grapheneos.org with ED25519 key SHA256"
Oh, wait, the actual key isn't at all the same as that one. But it says "Good".
I'm confused ...
- Edited
kd4e I noticed a BSD variant in the MX Linux repository.
Debian 12 (bookworm) from my install log according to the GrapheneOS CLI guide 11.12.2023:
(looks like the guide has changed a bit and now uses open-ssh instead of signify)
~$ sudo apt install signify-openbsd
~$ alias signify=signify-openbsd
~$ curl -O https://releases.grapheneos.org/factory.pub
~$ curl -O https://releases.grapheneos.org/shiba-factory-2023120800.zip
~$ curl -O https://releases.grapheneos.org/shiba-factory-2023120800.zip.sig
~$ signify -Cqp factory.pub -x shiba-factory-2023120800.zip.sig && echo verified
~$ bsdtar xvf shiba-factory-2023120800.zip
- Edited
kd4e No, you no longer need signify to verify the factory images. This is now done with OpenSSH as u/Space already wrote. (openssh-client should be installed on every Unix & Linux by default)
The current public key is signed with the previous signify key. If you already have the previous signify public key (factory.pub) and want to verify the new key with it:
curl -O https://releases.grapheneos.org/allowed_signers.sig
signify -V -m allowed_signers -x allowed_signers.sig -p factory.pubWhen the current signing key is replaced, the new key will be signed with it.
If you don't have the previous signify public key, you can skip this section. Signify is only used to compare the old key with the new one.
OK, so I did this ...
Verify the Image
ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-factory-VERSION.zip.sig < DEVICE_NAME-factory-VERSION.zip
Got this (plus a long key string) ...
Good "factory images" signature for contact@grapheneos.org with ED25519 key SHA256
But that key is not the same as this ...
contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE
- Edited
kd4e I don't know anything about the new keys. To be on the safe side, I would ask in the Matrix channel. https://grapheneos.org/contact#community-chat
On Github is allowed_signers.sig & allowed_signers
https://github.com/GrapheneOS/releases.grapheneos.org/tree/main/static
The key that I'm getting is different than the one on github.
I'm not sure why support is being scattered across so many different social media systems, rather than just one, it seems counter-intuitive to fragment the information. Sigh.
I see that Chat via the Thunderbird email is one alternative - at least I don't have to add yet another app. (I had no idea Thunderbird even had a Chat feature.)
I'll give it a try. I'd rather ask first than plow ahead, make a mess, then have to undo the mess and start over.
Thanks.
kd4e Signify isn't used as part of the current CLI install process. Use our official installation instructions instead of whatever unofficial guide you're following.
kd4e WebUSB does not require systemd.
- Edited
GrapheneOS
I was here:
[(https://grapheneos.org/install/cli)]
And read this ...
The current public key is signed with the previous signify key. If you already have the previous signify public key (factory.pub) and want to verify the new key with it:
curl -O https://releases.grapheneos.org/allowed_signers.sig
signify -V -m allowed_signers -x allowed_signers.sig -p factory.pub
When the current signing key is replaced, the new key will be signed with it.
- Edited
kd4e As @boldsuck mentioned, they're essentially the same chat rooms whether you use Discord, Matrix, Telegram or IRC due to the bridge. We support multiple chat platforms officially since if we don't people are still going to make communities on each of them, which would end up filled with misinformation and malicious people trying to harm GrapheneOS. By making rooms on each major platform ourselves, we avoid that situation. There's also an unofficial group on SimpleX created by some of our moderators created which cannot be official due to technical limitations which may end up being resolved in the next couple years. It was created to replace a previous unofficial group with absolutely no moderation at all which was filled with trolls and misinformation, which is how we get pushed into supporting more chat platforms.
kd4e This information is only for people who previously used the older instructions with signify and therefore already have the previous signify key which they can use to verify the newer OpenSSH key. The switch to OpenSSH signing was done in February and at some point we can remove the instructions on verifying the key rotation. If you're starting fresh, you have no use for this.
When I power on the phone while holding the volume Down - on the phone display where it shows Fastboot Mode it also shows ...
Device State: locked
In Developer options OEM unlocking is ON.
I tried turning on USB debugging and USB file transfer ... no Unlock Bootloader Screen in Web Installer.
Oh, wait, for some reason this doesn't work with Firefox - just remembered that.
Sigh, OK, I'll have to move to a different computer.