Verifying the Signature on GrapheneOS Images

On the GrapheneOS release page download the appropriate file and signature. As of writing the files for a Pixel 3a are

WARNING: You must use the correct files for your device or you risk bricking the phone. Please use files intended for your device.

Now, obtain the GrapheneOS public key. Next, verify the file contains

untrusted comment: GrapheneOS factory images public key

and agrees with the copy at GrapheneOS' GitHub account and their twitter.

Now for Debian/Ubuntu/Linux Mint install signify-openbsd if it's not on your system.

$ sudo apt-get install signify-openbsd

Then in a directory with, the .zip and .zip.sig files type:

$ signify-openbsd -Cqp -x

If there is no output the signature is valid.