Departure of Calyx / CalyxOS leadership and discontinuation of CalyxOS updates

LGgos

GrapheneOS I see... I accept that I'm probably commenting with subconscious bias having followed him for a while and enjoyed his content, and that I haven't done enough research to be commenting. I didn't realise that the most serious accusation was fabricated by him, which shows my ignorance really.

Apologies if my questioning of your side of it has come across as loaded, which looking back, it probably has (and maybe in part to be honest I did want to believe his side more - familiarity etc). Like anyone else I just want to hear both sides of a story but have not come to any conclusions. I withdraw and apologise for any remarks that may have come across as accusatory.

Will be a lot more cautious of his content from now on...

GrapheneOS

LGgos

I didn't realise that the most serious accusation was fabricated by him

He's misrepresenting referring to someone else doing swatting because of Techlore's content, which he was supporting, as accusing him of attempted murder. It doesn't make any sense whatsoever. It was not what was said at all. What was said is that he shares responsibility for it due to participating in what led to people engaging in that harassment. He then went on to publish a video where he tried to cause a massive increase in harassment through fabrications, spin and bullying. The video he published proved he was far worse than what he was privately criticized for doing over the past many months. He leaked private information and private messages along with heavily misrepresenting those in order to target someone with harassment. He used his platform to mislead people and encourage harassment towards someone. Why? He was angry that he was privately criticized for his existing involvement, so he massively ramped it up to try to ruin someone's life with his large platform.

LGgos

GrapheneOS I don't support such a thing, no worries. I'm happy to drop the matter and won't be voicing any more support (well it was more questioning rather than support, but I suppose on self reflection there might have been my hope that he wasn't quite so nasty as all that, effectively being like a form of support)

For sure I do not support any of the harassment against any of your team past or present

fph

de0u fph I have access to the signing keys! Well, sort of! And so do you!

The GrapheneOS build instructions include instructions for generating keys and signing builds. Over the summer I did a couple of builds and updates on a debug device as part of an experiment, using my signing keys.

That does not really answer our question. If I understand correctly, the Graphene OS build we all have installed (apart from the very small minority that builds and updates the system themselves) is signed with keys from the Graphene OS team. In order to continue receiving OTA updates, those updates need to be signed with the same key, or the bootloader complains.

If only one person has access to this signing key, and that person goes rogue, then we all need to reinstall the system from scratch in order to continue receiving updates. This is precisely what happened to Calyx OS, if I understand correctly.

Also, and more importantly, if someone who has access to that key goes rogue, they are in a position to push a malicious update. Essentially, they have root on our systems.

So I believe that "who has the Graphene OS signing key" is an important question. And I mean the key that signs the official install, not the key for a custom build as in your answer.

Probably9857

fph So I believe that "who has the Graphene OS signing keys" is an important question.

It's an important question for the key project members. As a user, it is understandable that you would like to know this, but I think it is not realistic to expect the project to publicly disclose that kind of sensitive information. It could put people at risk.

I think it is safe to say they are managing keys more responsibly than CalyxOS was.

Probably9857

fph Also, and more importantly, if someone who has access to that key goes rogue, they are in a position to push a malicious update.

They would also need access to a lot of other GrapheneOS project infrastructure, and this would have to be done without other project members noticing.

fph Essentially, they have root on our systems.

This is a ridiculous statement.

GrapheneOS does not force anyone to automatically or immediately (or even eventually) install every new update.

de0u

fph [...] So I believe that "who has the Graphene OS signing key" is an important question.

As I asked above, what would be different if you knew how many people can sign GrapheneOS builds and their names?

If certain answers would be a show-stopper for you, you are free to assume one of those show-stoppers is the answer and sign your own builds.

Probably9857

fph

Of note, a few months ago, the lead developer of GrapheneOS was ~~kidnapped~~ conscripted and forced to participate in a war.

The ability to sign releases was not affected.

linux-dev

Probably9857

What do you mean by more responsibly? Spreading the keys to dozens of developers, that still can use these keys even if they leave the project?

IMHO is Calyx doing the only right thing. Since they cannot rotate the key, only OEMs can do that as they have full control over the bootloader. If someone leaves the project he should not have access to the key anymore.

Probably9857

linux-dev

linux-dev What do you mean by more responsibly?

I mean in a way that is likely to avoid the situation in which CalyxOS finds themselves.

linux-dev Spreading the keys to dozens of developers, that still can use these keys even if they leave the project?

I imagine that more creative solutions are possible.

linux-dev IMHO is Calyx doing the only right thing

I didn't say anything about what they are doing now. Only that it was irresponsible of them to allow this situation to arise in the first place.

But, I'm not an expert in this area, so if you want to say they were actually following best practices, I'm not in a position to dispute it.

GrapheneOS

linux-dev

Since they cannot rotate the key, only OEMs can do that as they have full control over the bootloader.

Calyx could have released updates rotating all of the keys used within the OS including the ones for OS and app updates. They can't do that because they seem to lack access to the signing keys. It's only the verified boot keys which can't be rotated and several devices they support lack working verified boot anyway. They also don't have the extensions to verified boot needed to make it more useful than wiping via recovery being near equivalent to a fresh install.

linux-dev

Probably9857

I imagine that more creative solutions are possible.

There is: https://rombsr.org/ but as far as I know neither grapheos or calyxos used it so far, may change in the future though.

Probably9857

linux-dev

The problem of shared/organizational/distributed key management has been widely considered in relation to cryptocurrencies, and there are many solutions that seem to be reasonably effective. Seems to me the concepts would transfer to software signing keys.

GrapheneOS

linux-dev Where did you get this link?

lynatic

linux-dev the repo linked on their website doesn't exist: https://github.com/xoraxiom/ROMbsr

The install guide uses a "your-org" placeholder that smells vibecoded, there a no other mentions of this project anywhere on the internet (other than the websites repo itself: https://github.com/xoraxiom/ROMbsr-website).

Seems weird...

GrapheneOS

linux-dev We asked where you got the link you shared in GrapheneOS. Please provide an answer to this question.

linux-dev

FYI, I think they don't want to use the old keys, as they are changing their signing process, at least this is what I assume from reading: https://gitlab.com/CalyxOS/calyxos/-/issues/3430

GrapheneOS

linux-dev The signing keys for APKs and APEXes can be rotated, as can the signing keys for OS updates. There's no need to stop releases updates to rotate those keys. If they had the previous signing keys, they would still be able to release updates and wouldn't need to require reinstallation. Only verified boot key rotation requires reinstallation and not all the devices they support have working verified boot anyway.

de0u

lynatic the repo linked on their website doesn't exist: https://github.com/xoraxiom/ROMbsr

I believe GitHub can return a 404 if a repository is private (perhaps by accident).

linux-dev

GrapheneOS

If they had the previous signing keys, they would still be able to release updates and wouldn't need to require reinstallation.

And how do you know that they don't have the keys?

How can they provide another ota if they don't have the keys:

https://calyxos.org/news/2025/08/27/last-ota-update-before-new-calyxos-release/

GrapheneOS

linux-dev Convincing Nick to sign a final update to give users a notice doesn't mean they have the signing keys. The actual patch level will still be 2025-06-01 even if they set an inaccurate Android security patch level without providing everything required as they usually do. If they have the signing keys and can use them for arbitrary things, why aren't they rotating everything other than the verified boot keys?

« Previous Page Next Page »