CalyxOS

Verifying CalyxOS builds

Factory images

Verification

minisign -Vm sunfish-factory-2.7.1.zip -p minisign.pub
# sunfish is Pixel 4a, replace with your device

It should output:

Signature and comment signature verified
Trusted comment: CalyxOS 2.7.1 - July 2021


Additional verification
gpg --verify minisign.pub.sig minisign.pub

It should output:

gpg: Signature made Sat 10 Jul 2021 05:15:55 AM IST
gpg:                using RSA key BC2CB9C4993C086FFDAD8D205905C9C74693488B
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Good signature from "Nicholas Merrill <nick@calyx.com>" [unknown]
gpg:                 aka "Nicholas Merrill <nick@calyx.net>" [unknown]
gpg:                 aka "Nicholas Merrill <nick@calyxinstitute.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BC2C B9C4 993C 086F FDAD  8D20 5905 C9C7 4693 488B

Checksums

Linux
sha256sum sunfish-factory-2.7.1.zip
# sunfish is Pixel 4a, replace with your device

It should output:

dddb62c9b68bf68e210db2e05181b55baf50a509f4533ea69409bdbf5c5009b9  sunfish-factory-2.7.1.zip


macOS
shasum -a 256 sunfish-factory-2.7.1.zip
# sunfish is Pixel 4a, replace with your device

It should output:

dddb62c9b68bf68e210db2e05181b55baf50a509f4533ea69409bdbf5c5009b9  sunfish-factory-2.7.1.zip


Windows
certUtil -hashfile sunfish-factory-2.7.1.zip 256
# sunfish is Pixel 4a, replace with your device

It should output:

SHA256 hash of sunfish-factory-2.7.1.zip:
dddb62c9b68bf68e210db2e05181b55baf50a509f4533ea69409bdbf5c5009b9
CertUtil: -hashfile command completed successfully.


Mirrors

Hint: You can press t on these pages to quick jump to a filename (e.g. sunfish-factory-2.7.1)