The official CalyxOS builds are signed with our private keys. Over-the-air (OTA) updates are also signed with the same keys, and once you install the OS, only updates signed with the same key can be installed.

The builds are made from signed git tags.

Starting July 2021, all CalyxOS factory images will be signed using minisign

Why minisign? It’s dead simple, easy to use, works well with large files, and can be easily integrated with device-flasher (which will be done in a future update)

Signatures:

You can now see a new Signature column next to the download link at Get CalyxOS

You need to download both the factory zip, and the signature file (.minisig) You’ll also need the public key, minisign.pub

Then, the signature can be verified by running:

minisign -Vm sunfish-factory-2.7.1.zip -p minisign.pub
# sunfish is Pixel 4a, replace with your device

It should output:

Signature and comment signature verified
Trusted comment: CalyxOS 2.7.1 - July 2021

For more detailed instructions, see Verifying CalyxOS builds