diff --git a/static/build.html b/static/build.html index 9dbc2518..99f07b9e 100644 --- a/static/build.html +++ b/static/build.html @@ -261,8 +261,11 @@
  • 32-bit gcc runtime library
    • -

    The signify tool (with the proper naming) is also required for signing - factory images zips.

    +

    Additional dependencies for signing factory images releases:

    + +
    @@ -537,14 +540,10 @@ cd ../..

    Generate a signify key for signing factory images:

    - 
    signify -G -n -p keys/raven/factory.pub -s keys/raven/factory.sec
    + 
    ssh-keygen -t ed25519 -f keys/raven/id_ed25519
    -

    Remove the -n switch to set a passphrase. The signify - tool doesn't provide a way to change the passphrase without generating a new key, so - this is currently handled separately from encrypting the other keys and there will be - a separate prompt for the passphrase. In the future, expect this to be handled by the - same scripts along with the expectation of it using the same passphrase as the other - keys.

    +

    The passphrase for the SSH key should also match the other keys, although we + don't currently handle it automatically in the encrypt/decrypt scripts.

    Encrypting keys

    diff --git a/static/faq.html b/static/faq.html index df3e81ec..206a3a3d 100644 --- a/static/faq.html +++ b/static/faq.html @@ -1740,7 +1740,7 @@

    The command-line approach offers a way to install GrapheneOS without trusting our server infrastructure. This requires being on an OS with proper fastboot and - signify packages along with understanding the process enough to avoid blindly + OpenSSH packages along with understanding the process enough to avoid blindly trusting the instructions from our site. For most users, the web-based installation approach is no less secure and avoids needing any software beyond a browser with WebUSB support.

    diff --git a/static/install/cli.html b/static/install/cli.html index 1be722fc..dfd44ee1 100644 --- a/static/install/cli.html +++ b/static/install/cli.html @@ -74,7 +74,7 @@
  • Booting into the bootloader interface
  • Connecting the device
  • Unlocking the bootloader
    • -
  • Obtaining signify
    • +
  • Obtaining OpenSSH
  • Obtaining factory images
  • Flashing factory images @@ -370,28 +370,22 @@ Installed as /home/username/platform-tools/fastboot to confirm.

    • -
    -

    Obtaining signify

    +
    +

    Obtaining openssh

    -

    On the supported Linux distributions, the signify tool is used to verify the - download of the OS beyond the security offered by HTTPS. You should skip this on - macOS and Windows. It only makes sense to do this if you can obtain signify from - the distribution package repositories. GrapheneOS releases are hosted on our - servers and we do not have third party mirrors.

    +

    On the supported Linux distributions, OpenSSH is used to verify the download of + the OS beyond the security offered by HTTPS. You should skip this on macOS and + Windows. It only makes sense to do this if you can obtain OpenSSH from the + distribution package repositories. GrapheneOS releases are hosted on our servers and + we do not have third party mirrors.

    On Arch Linux:

    - 
    sudo pacman -S signify
    + 
    sudo pacman -S openssh

    On Debian and Ubuntu:

    - 
    sudo apt install signify-openbsd
-alias signify=signify-openbsd
    - -

    On Debian-based distributions, the signify package and command are an - unmaintained mail-related - tool for generating mail signatures (not cryptographic signatures). Make sure - to install signify-openbsd.

    + 
    sudo apt install openssh-client
    @@ -405,22 +399,31 @@ alias signify=signify-openbsd using it for the rest of the installation process, so these instructions use curl.

    -

    Download the factory images - public key (factory.pub) in order to verify the factory images:

    +

    Download the factory images + public key (allowed_signers) in order to verify the factory images:

    - 
    curl -O https://releases.grapheneos.org/factory.pub
    + 
    curl -O https://releases.grapheneos.org/allowed_signers
    -

    This is the content of factory.pub:

    +

    This is the content of allowed_signers:

    - 
    untrusted comment: GrapheneOS factory images public key
-RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3
    + 
    contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE
    -

    The public key has also been published via the official - @GrapheneOS Twitter - account, - the /u/GrapheneOS - Reddit account and is available on GitHub. - When the current signing key is replaced, the new key will be signed with it.

    +

    Other locations to obtain the signing key:

    + + + +

    The current public key is signed with the previous signify key. If you already + have the previous signify public key (factory.pub) and want to verify the new key + with it:

    + + 
    curl -O https://releases.grapheneos.org/allowed_signers.sig
+signify -V -m allowed_signers -x allowed_signers.sig -p factory.pub
    + +

    When the current signing key is replaced, the new key will be signed with it.

    Download the factory images for the device from the releases page. For example, to download the 2021110122 release for a device with the @@ -429,14 +432,15 @@ RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3 

    curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-2021110122.zip
 curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-2021110122.zip.sig
    -

    Verify the factory images using the signature if you were able to obtain - signify from trusted package repositories (see above), otherwise - continue on to the next section without this:

    +

    Verify the factory images using the signature if you were able to obtain OpenSSH + from trusted package repositories (see above), otherwise continue on to the next + section without this:

    - 
    signify -Cqp factory.pub -x DEVICE_NAME-factory-2021110122.zip.sig && echo verified
    + 
    ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-factory-2021110122.zip.sig < DEVICE_NAME-factory-2021110122.zip
    -

    This will output verified if verification is successful. If something - goes wrong, it will output an error message rather than verified.

    +

    This will producing the following output when successful:

    + + 
    Good "factory images" signature for contact@grapheneos.org with ED25519 key SHA256:AhgHif0mei+9aNyKLfMZBh2yptHdw/aN7Tlh/j2eFwM
    diff --git a/static/install/index.html b/static/install/index.html index 77691640..9ec5bfad 100644 --- a/static/install/index.html +++ b/static/install/index.html @@ -53,7 +53,7 @@ on.

    The command-line approach offers a way to install GrapheneOS without trusting our - server infrastructure. This requires being on an OS with proper fastboot and signify + server infrastructure. This requires being on an OS with proper fastboot and OpenSSH packages along with understanding the process enough to avoid blindly trusting the instructions from our site. For most users, the web-based installation approach is no less secure and avoids needing any software beyond a browser with WebUSB support.

    diff --git a/static/js/redirect.js b/static/js/redirect.js index d1818ec0..ea52892a 100644 --- a/static/js/redirect.js +++ b/static/js/redirect.js @@ -28,6 +28,8 @@ const redirects = new Map([ ["/build#enabling-updatable-apex-components", "/build#apex-components"], + ["/install/cli#obtaining-signify", "/install/cli#obtaining-openssh"], + // legacy devices ["/releases#marlin-stable", "/faq#legacy-devices"], ["/releases#marlin-beta", "/faq#legacy-devices"],