Signature verification instructions for Ghaf 25.12.1 ->

1. Download the target artifact you want from the release page (here represented as archive.tar)
2. Download the binary signing key (GhafInfraSignECP256.pub)
3. Navigate to where the tar file is.
4. Extract the archive into a folder and enter it:

tar -xf archive.tar
cd archive

5. Locate the image file. Note that for some targets it is located in sd-image/ or build/ directory. The signature file is in scs/ or scs/sd-image/ or scs/iso/ directory.

6. Run the following openssl command with the correct paths of the public key, signature and image:

openssl dgst -verify \
    GhafInfraSignECP256.pub \
    -signature disk1.raw.zst.sig \
    disk1.raw.zst

7. You should see the following message upon successful signature verification:

Verified OK

8. The provenance file is verified with a different openssl command. Note that the public key used is also different. The provenance and signature files are located in scs/ directory.

openssl pkeyutl -verify \
    -inkey GhafInfraSignProv.pub -pubin \
    -sigfile provenance.json.sig \
    -in provenance.json -rawin

Signature Verified Successfully