Why is it that the GrapheneOS (Android ROM) project crypographically signs their releases with signify instead of PGP?
The install documentation for GrapheneOS instructs the user to install the signify-openbsd project from apt and use it with the official GrapheneOS release signing public key to verify the authenticity of their releases.
Most software projects use PGP to sign their releases.
Why does GrapheneOS use signify?
Daniel Micay (Lead developer of GrapheneOS) decided to use signify instead of gpg because of many issues associated with gpg and the OpenPGP standard, including:
gpg is very hard to usesignify is far simpler than the OpenPGP spec; it's less vulnerable to (keychain) exploits, the code is shorter, and has a lower attack surfacegpg implementation bugs permitting DOS attacks on keyrings are long-standing and not being addressed in a timely manner by its developers
It's overly complex with far too much attack surface and has egregiously bad usability and security. It's only suitable for usage as a case study in how not to design and implement software. Rather than changing the instructions to work around GPG deficiencies, it won't be used.
Source: https://twitter.com/DanielMicay/status/1145264664315604992
It's a systemic issue, not a specific problem. GPG is vulnerable to a severe denial of service (permanently bricking the keyring) when importing public keys through multiple weaknesses. The public keyservers make the situation worse, but the issues with the GPG implementation are still relevant even without keyservers.
GPG also has a lot more wrong with it than this. I've been phasing it out over time for my own usage and had previously talked about my plans to phase it out for GrapheneOS too. OpenPGP is a overly complex and poorly designed legacy standard, and GPG is a low quality implementation of it.
The thing that finally pushed me to prioritize fixing this was the terrible responses of the GPG developers to the issue summarized well by Hanno Böck: https://twitter.com/hanno/status/1145597144373575680.
Look through my recent tweets / replies and retweets about GPG, or my previous threads about it in May.
Source: https://www.reddit.com/r/GrapheneOS/comments/c7gb3f/grapheneos_factory_images_are_now_signed_with/
These are the opinions of Daniel, not my own. Of course I think signing with PGP is better than not signing at all (or where signature verification requires you to use a tool that cannot itself be obtained securely), which is the absurd reality of most Android ROMs.
Q & A