From 1a119d5e5340ee7bd77a7d6bbe215ad669a7a7bc Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 30 Jun 2019 04:09:25 -0400
Subject: [PATCH] switch from GPG to signify for factory images

---
 static/install.html  | 19 +++++++++++++++----
 static/releases.html |  2 +-
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/static/install.html b/static/install.html
index 16cf3638..a6cd1f5b 100644
--- a/static/install.html
+++ b/static/install.html
@@ -47,6 +47,12 @@
             <p>You should have at least 2GB of free memory available.</p>
             <p>You need the unlocked variant of one of the supported devices, not a locked carrier
             specific variant.</p>
+            <p>To verify the download of the OS beyond the security offered by HTTPS, you need the
+            signify tool. Some package repositories refer to it as <code>signify</code> while
+            others refer to it as <code>signify-openbsd</code> due to a legacy mail-related tool
+            with the same name. If you don't have a way to obtain signify from a trusted package
+            repository, such as on Windows, skip the additional verification. This is an important
+            step, but it only makes sense if you can chain trust from your existing OS install.</p>
             <p>It's best practice to update the stock OS on the device to make sure it's running
             the latest firmware before proceeding with these instructions. This avoids running
             into bugs in older firmware versions. It's known that the early Pixel 2 and Pixel 2 XL
@@ -88,10 +94,15 @@
             </h2>
             <p>The initial install will be performed by flashing the factory images. This will
             replace the existing OS installation and wipe all the existing data.</p>
-            <p>You can download the factory images from <a href="/releases">the releases page</a>.</p>
-            <p>Verify the official factory images using the GPG signature:</p>
-            <pre>gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
-gpg --verify blueline-factory-2019.04.01.19.zip.sig blueline-factory-2019.04.01.19.zip</pre>
+            <p>Download <a href="https://releases.grapheneos.org/factory.pub">the factory images
+            public key (factory.pub)</a> in order to verify the factory images.</p>
+            <p>This is the content of <code>factory.pub</code>:</p>
+            <pre>untrusted comment: GrapheneOS factory images public key
+RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3</pre>
+            <p>Download the factory images for the device from <a href="/releases">the releases
+            page</a>.</p>
+            <p>Verify the factory images using the signature:</p>
+            <pre>signify -V -p factory.pub crosshatch-factory-2019.06.23.05.zip</pre>
             <p>When this signing key is replaced, the new key will be signed with it.</p>
             <h2 id="flashing-factory-images">
                 <a href="#flashing-factory-images">Flashing factory images</a>
diff --git a/static/releases.html b/static/releases.html
index f329c83a..1b65079b 100644
--- a/static/releases.html
+++ b/static/releases.html
@@ -44,7 +44,7 @@
             <p>These releases are available as both tags in the source code repositories and
             official builds.</p>
             <p>The factory images are used for the initial installation and can be verified with
-            GPG. See the <a href="/install">installation guide</a> for details.</p>
+            signify. See the <a href="/install">installation guide</a> for details.</p>
             <p>GrapheneOS uses automatic over-the-air updates, but full update packages are listed
             below for uncommon use cases like never connecting the device to the internet. A full
             update package can upgrade from any past version to the new version. The over-the-air