I want to install /e/os on a supported device. I can verify the file hash, but would also like to verify it was build by someone in posession of the maintainers private key. Is it possible to get a signed build?
All âofficialâ and âcommunityâ builds are signed by the e.foundation keys.
âunofficialâ builds are signed with public keys or with the keys of the builder.
1 Like
Thatâs nice! Could you point me to a trustworthy location to obtain the e.foundation keys, and maybe add that to the official installation guide or the download page?
i think these keys are private.
the goal is OTA builds signature must match the recovery-e signature.
But there should be a public key available for checking.
LineageOS provide an âupdate verifierâ utility (in python) which checks that a build is signed with private key that matches their public key: See GitHub - LineageOS/update_verifier ¡ GitHub . \
If /e/ made their public key available, I think that utility could be used to check /e/OS builds.
Very little point in signing builds if thereâs no way to verify the signature 
1 Like
Lineage offers even an online verifier besides the offline python util - LineageOS Downloads
you can use the python util and save the pubkey at Signature Files for /e/OS builds - #3 by tcecyk (or extract it yourself) to a file and run it against /e/OS images.
python3 update_verifier.py pubkey /path/to/e-3.7-a15-codename.zip
(something Iâd wish for is posting the hashes of images built in the past online. From an official https website it provides authenticity and is slightly easier to verify)
Thank you for your reply! I tried the verifier script before posting here. The image I downloaded from /e/OS official FP5 download does not verify with the signature you gave. Apparently, its âFooter has wrong magicâ which iiuc means that it was not signed at all. I can verify lineageOS builds with it just fine. Any more tips?
As a âRequest a featureâ this has common ground with a reported comment from Finon (short abstract below) in [LIST] Banking Apps on /e/OS - #880 by xipe.
- The Comparison: For example, operating systems like GrapheneOS publish an official, up-to-date list of these verified boot key fingerprints for each device and build. This allows developers like us to safely verify and support those devices.
- The Current Issue: Unfortunately, the developers of /e/OS do not currently publish an official list of these verified boot key fingerprints.
1 Like
@meowmoew - get the pubkey from otacerts of the official build. It should be a different one to community (my link)
1 Like
Iâm sorry, I donât know what you mean. In the other thread, someone said
/e/OS release pubkey can also be found in the downloadable .zip under
/your-eOS-ROM/META-INF/com/android/otacert
but the image zip file I downloaded does not contain that file. Also, it seems incorrect to verify the signature of a file using a âpublicâ key that shipped with the file itself?
this is the pubkey from the official ota cert (vs the community otacert)
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs11wvsAcpyR0PzczDldf
RGruTEUqgdTkF+0fr0idTXf/5NHLzFM4YPf9Gb844DShWEoUwHBk2wfvu/qQrZ0G
xTd8tzwAsHWUgGJ5SK5/gvP+wm1tSjlSnBC8jZNOsHXCabpbqOcoerTKOt1Acq0x
rUvJxO1UVOA1VgIllyJPKP7uiCEKgKncYPoQkO3jKyr+JYF5J53XRKH5sdDUmvmM
PwmYKroH4jjLC5G+tRh8RtOcGwZmu3ZqaLGruirQPv27ilKV6I+0yV+aQrOhYcTj
X6rMpeiBbDjLFS47bq7TeWL+5A9k6fAT7GPhj+qi1RlXsuwwqnaOoJYQzzoFiAuo
4QIDAQAB
-----END PUBLIC KEY-----
openssl x509 -in releasekey.x509.pem -noout -pubkey -outform DER | openssl sha256 -c
SHA2-256(stdin)= 1b:6c:22:23:f1:44:3a:2a:aa:16:d2:42:11:dd:3b:04:1e:34:6d:5f:9d:14:38:99:59:8d:74:af:54:b5:a7:84
python3 update_verifier.py eelo_pubkey_official e-3.7.3-a15-20260506618655-official-FP6.zip
verified successfully
It would be convenient for murena to just publish the certificate fingerprint (like lineage did before that script/pubkey repo) or the full cert (to extract the pubkey).
But at what point will you trust the pubkey? you can extract from a handful of different images over the years, and verify against a dozen other images from the official ota source. Other users can post their cert fingerprint etc. Itâs the same key that is in use since years.
I can not verify the image I downloaded with your (or any) key, the verifier says âAssertionError: Footer has wrong magicâ. I have not read its source code but from what I understand it means the image is not signed at all?
the python script expects an ota image (what the updater provides at https://ota.ecloud.global/api/v1/FP6/official/).
I donât think factory-flash style IMG-..zip do have signature footers.
1 Like