GrapheneOS factory images are now signed with signify instead of GPG to improve usability and security. The public key:
untrusted comment: GrapheneOS factory images public key
RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3
For the details, see grapheneos.org/install.
Conversation
May I know whats the technical reason behind using signify as opposed to GPG?
1
2
It's overly complex with far too much attack surface and has egregiously bad usability and security. It's only suitable for usage as a case study in how not to design and implement software. Rather than changing the instructions to work around GPG deficiencies, it won't be used.
1
4
GPG lacks a way to verify a file with a key. It forces usage of the awful keyring and trust model design. The instructions would need to create a temporary keyring to work around that, otherwise it will use other keys in the keyring and users can't be expected to verify output.
1
3
The instructions were also using --recv-keys to avoid needing separate steps for downloading and importing the key. GPG keyrings can apparently be bricked by importing adversarial public keys and public keyservers allow 3rd parties to add malicious data. GPG is obsolete garbage.
1
5
The attitude of the people designing and developing it is also unacceptable. They redirect the blame for their failures towards users and attackers. They're lucky the attacker in this recent case was seemingly just trying to prove a point about there being a serious flaw in GPG.
Show more replies