.. title: Verifying the Signature on GrapheneOS Images
.. slug: verifying-the-signature-on-grapheneos-images
.. date: 2020-06-25 19:48:13 UTC
.. tags: GrapheneOS, Private Phone, Secure
.. category: Applied Cryptography
.. link:
.. description: This is a tutorial that will help you verify a GrapheneOS signature on popular Linux machines.
.. type: text
.. |GOSrelease| raw:: html
GrapheneOS release page
.. |factory.pub| raw:: html
GrapheneOS public key
.. |GOSGitHub| raw:: html
at GrapheneOS' GitHub account
.. |GOSTwitter| raw:: html
their twitter
On the |GOSrelease| download the appropriate file and signature. As of writing
the files for a Pixel 3a are
.. code-block:: bash
sargo-factory-2020.06.02.02.zip
sargo-factory-2020.06.02.02.zip.sig
**WARNING:** You must use the correct files for your
device or you risk bricking the phone.
Please use files intended for your device.
Now, obtain the |factory.pub|.
Next, verify the file contains
.. code-block:: bash
untrusted comment: GrapheneOS factory images public key
RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3
and agrees with the copy |GOSGitHub| and |GOSTwitter|.
Now for Debian/Ubuntu/Linux Mint install signify-openbsd if it's
not on your system.
.. code-block:: shell
$ sudo apt-get install signify-openbsd
Then in a directory with `factory.pub`, the `.zip` and `.zip.sig` files type:
.. code-block:: shell
$ signify-openbsd -Cqp factory.pub -x sargo-factory-2020.06.02.02.zip.sig
If there is no output the signature is valid.