Signature verification instructions

Ghaf 26.02.1 ->

  1. Download the target artifact you want from the release page (here represented as archive.tar)
  2. Navigate to where the tar file is.
  3. Extract the archive into a folder and enter it:
tar -xf archive.tar
cd archive

  1. Locate the image file. Note that for some targets it is located in sd-image/ or build/ directory. The signature file is in scs/ or scs/sd-image/ or scs/iso/ directory.

  2. Run the verification script from ghaf-infra. This script will use the correct public keys, which are stored in and pulled from ghaf-infra-pki.

nix run github:tiiuae/ghaf-infra/669e944#verify-signature -- \
    image disk1.raw.zst disk1.raw.zst.sig
  1. You should see the following message upon successful signature verification:
Verified OK
  1. The provenance file is verified with the same script but using the provenance mode. The provenance and signature files are located in scs/ directory.
nix run github:tiiuae/ghaf-infra/669e944#verify-signature -- \
    provenance provenance.json provenance.json.sig
Signature Verified Successfully