ablankman just to add to what my colleagues have outlined already this was recently released via the projects official Twitter account:
GrapheneOS source code releases (Git tags) will now be signed with SSH rather than GPG. We've published an SSH allowed signers configuration for GrapheneOS:
grapheneos.org/allowed_signe…
Key rotation proof signatures:
https://grapheneos.org/allowed_signers.sig (signify)
https://grapheneos.org/allowed_signers.asc (GPG)
We've updated our build instructions to explain verifying the OS source releases with SSH:
https://grapheneos.org/build#stable-release
You'll be able to use the same GrapheneOS allowed signers configuration for verifying tags across our Git repositories. We may also use it for other purposes too.
OpenSSH is far more broadly available than signify. It's included in macOS, Windows and most Linux distributions. However, many of these still have an old version without file signing support.
We'll likely replace signify with SSH signing for GrapheneOS factory images eventually.
Source: https://nitter.net/GrapheneOS/status/1610897628627193856
So based on the extract highlighted in bold, going forward the above is likely to become outdated at some point. Please ensure you keep up to date either through announcement threads here or the above account etc.