GrapheneOS currently signs the zips used to perform the initial install with signify. These signatures are provided as a way to bootstrap trust via your existing OS.
Beyond that, we don't use signify. Signatures for update packages, images (verified boot) and apps are built-in.
Conversation
Replying to
Signify is a great fit but it isn't very portable. It isn't included in macOS or Windows. OpenSSH has file signing and verification via `ssh-keygen -Y` and we're likely going to be using it to take advantage of OpenSSH being included in macOS, Windows and nearly everywhere else.
1
3