[deleted]
- Edited
kd4e I believe you should be using OpenSSH to verify the image, not signify. They switched from signify to OpenSSH
Install OpenSSH
sudo apt install openssh-client
Obtain the Key
curl -O https://releases.grapheneos.org/allowed_signers
Obtain the Image and Sig File
curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-VERSION.zip
curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-VERSION.zip.sig
Verify the Image
ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-factory-VERSION.zip.sig < DEVICE_NAME-factory-VERSION.zip
This is the new (OpenSSH) key,
contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE
You can either verify it by cross referencing with their posts on their socials (links in the install guide) or use their old (signify) key to verify their new (OpenSSH) key (which is what you're trying to do). You would need their old signify key to do that. They signed their new (OpenSSH) key with their old (signify) so you can verify the new OpenSSH key. The new images are signed via OpenSSH not signify.
The current public key is signed with the previous signify key. If you already have the previous signify public key (factory.pub) and want to verify the new key with it: