- Edited
kd4e No, you no longer need signify to verify the factory images. This is now done with OpenSSH as u/Space already wrote. (openssh-client should be installed on every Unix & Linux by default)
The current public key is signed with the previous signify key. If you already have the previous signify public key (factory.pub) and want to verify the new key with it:
curl -O https://releases.grapheneos.org/allowed_signers.sig
signify -V -m allowed_signers -x allowed_signers.sig -p factory.pubWhen the current signing key is replaced, the new key will be signed with it.
If you don't have the previous signify public key, you can skip this section. Signify is only used to compare the old key with the new one.