Verifying the Signature on GrapheneOS Images


On the GrapheneOS release page download the appropriate file and signature. As of writing the files for a Pixel 3a are

sargo-factory-2020.06.02.02.zip
sargo-factory-2020.06.02.02.zip.sig

WARNING: You must use the correct files for your device or you risk bricking the phone. Please use files intended for your device.

Now, obtain the GrapheneOS public key. Next, verify the file contains

untrusted comment: GrapheneOS factory images public key
RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3

and agrees with the copy at GrapheneOS' GitHub account and their twitter.

Now for Debian/Ubuntu/Linux Mint install signify-openbsd if it's not on your system.

$ sudo apt-get install signify-openbsd

Then in a directory with factory.pub, the .zip and .zip.sig files type:

$ signify-openbsd -Cqp factory.pub -x sargo-factory-2020.06.02.02.zip.sig

If there is no output the signature is valid.