diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index f991e795..84c85283 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -298,6 +298,10 @@ http {
try_files $uri.html =404;
}
+ location = /allowed_signers {}
+ location = /allowed_signers.sig {}
+ location = /allowed_signers.asc {}
+
location = /favicon.ico {
if ($http_accept ~ "image/svg\+xml") {
rewrite ^ /favicon.svg last;
diff --git a/static/allowed_signers b/static/allowed_signers
new file mode 100644
index 00000000..cf6fad9e
--- /dev/null
+++ b/static/allowed_signers
@@ -0,0 +1 @@
+daniel.micay@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE
diff --git a/static/allowed_signers.asc b/static/allowed_signers.asc
new file mode 100644
index 00000000..3e845c58
--- /dev/null
+++ b/static/allowed_signers.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEZe7+AiEI4rcIy/z3+ecS5Zr18ioFAmO2c1QACgkQ+ecS5Zr1
+8iodbQ/9GdR5FVChX8KFWJ95sX/PeAHXkR8yCaYN5c/LwDxfZ1Hz3ZGdrIHOVscV
++NohU6ziUNK4Jkqbk//LhSGeQSqdgB8g1eQW+DkrBNEn9aGFUACSGVeS/PNDIfrz
++iMLRdTgpY/PM4Ln2u+lTYXOFwqalPtf+bBh+hxiLnm0Kilqgb8oBp5kJzeaobVM
+N1rS3Vj6YPrS5ywlYNI/bjY8jzPihCcRXSKz++o1WOW2i2l3EyG23z9RMIPDrfWj
+yw9rty/5YEAwX9/Hdx3x/WpzbinNRvYNYZwG8t6o+dQdZYvlAozPDVPz+8GsGZ5y
+yBkDAzmmVCedBHy29K++NjgrFetkI+kUaOUuJ/u+5O3DV6WFQa0OMKCLehxCeE5v
+bEhc83hnTuuoD5cnOWwaPgpA5g+tNCyjWl+0ySTW9zucEORIkNrfrilv6rKK0dtq
+0y1mId6/n7Zgc2KXpGhFghsaP+Bg9ILo7STk/zlAlD5Gh9Vwniw7T9LApPQAEjpD
+a2TLjeotP0+WQT0hckB9rGTMZGLNCUh5ct2NVqNOgdsoUAOwmC/FivaeKvSTj8GD
+0zcLwv3M6qRZJyKCQGBKb1nq11JpzpkJ41qMIRAOu1dO1vmcaApe7O59Y6LxseY7
+lLfotHx4bKCzosVBJyyXbsGZkdnbnIHI4SQLXGlnPtWE82qYkVc=
+=ybyF
+-----END PGP SIGNATURE-----
diff --git a/static/allowed_signers.sig b/static/allowed_signers.sig
new file mode 100644
index 00000000..4792799b
--- /dev/null
+++ b/static/allowed_signers.sig
@@ -0,0 +1,2 @@
+untrusted comment: verify with factory.pub
+RWQZW9NItOuQYA+Rim+poiDbYOb1fwiBP5iNXqWc62wc1d/blJH3GwosSRLN77WE51WT0GhHOru1gRwcgf4AWVzWnn20I28X5QY=
diff --git a/static/build.html b/static/build.html
index a56bb14e..752b2934 100644
--- a/static/build.html
+++ b/static/build.html
@@ -351,10 +351,18 @@ repo sync -j16
cd grapheneos-TAG_NAME
repo init -u https://github.com/GrapheneOS/platform_manifest.git -b refs/tags/TAG_NAME
+ Obtain GPG public key for verifying tags before 2023-01-05:
+
+ gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
+
+ Obtain SSH public key for verifying tags after 2023-01-05:
+
+ curl https://grapheneos.org/allowed_signers > ~/.ssh/grapheneos_allowed_signers
+
Verify the manifest:
- gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
-cd .repo/manifests
+cd .repo/manifests
+git config gpg.ssh.allowedSignersFile ~/.ssh/grapheneos_allowed_signers
git verify-tag $(git describe)
cd ../..