move to OpenSSH signing for factory images

static/install/cli.html

@@ -74,7 +74,7 @@ <h2><a href="#table-of-contents">Table of contents</a></h2>
                     <li><a href="#booting-into-the-bootloader-interface">Booting into the bootloader interface</a></li>
                     <li><a href="#connecting-device">Connecting the device</a></li>
                     <li><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></li>
-                    <li><a href="#obtaining-signify">Obtaining signify</a></li>
+                    <li><a href="#obtaining-openssh">Obtaining OpenSSH</a></li>
                     <li><a href="#obtaining-factory-images">Obtaining factory images</a></li>
                     <li>
                         <a href="#flashing-factory-images">Flashing factory images</a>
@@ -370,28 +370,22 @@ <h2><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></h2>
                 to confirm.</p>
             </section>
 
-            <section id="obtaining-signify">
-                <h2><a href="#obtaining-signify">Obtaining signify</a></h2>
+            <section id="obtaining-openssh">
+                <h2><a href="#obtaining-openssh">Obtaining openssh</a></h2>
 
-                <p>On the supported Linux distributions, the signify tool is used to verify the
+                <p>On the supported Linux distributions, the OpenSSH tool is used to verify the
                 download of the OS beyond the security offered by HTTPS. You should skip this on
-                macOS and Windows. It only makes sense to do this if you can obtain signify from
+                macOS and Windows. It only makes sense to do this if you can obtain OpenSSH from
                 the distribution package repositories. GrapheneOS releases are hosted on our
                 servers and we do not have third party mirrors.</p>
 
                 <p>On Arch Linux:</p>
 
-                <pre>sudo pacman -S signify</pre>
+                <pre>sudo pacman -S openssh</pre>
 
                 <p>On Debian and Ubuntu:</p>
 
-                <pre>sudo apt install signify-openbsd
-alias signify=signify-openbsd</pre>
-
-                <p>On Debian-based distributions, the <code>signify</code> package and command are an
-                <a href="http://signify.sourceforge.net/" rel="nofollow">unmaintained mail-related
-                tool for generating mail signatures (not cryptographic signatures)</a>. Make sure
-                to install <code>signify-openbsd</code>.</p>
+                <pre>sudo apt install openssh-client</pre>
             </section>
 
             <section id="obtaining-factory-images">
@@ -429,9 +423,9 @@ <h2><a href="#obtaining-factory-images">Obtaining factory images</a></h2>
                 <pre>curl -O https://releases.grapheneos.org/<var>DEVICE_NAME</var>-factory-2021110122.zip
 curl -O https://releases.grapheneos.org/<var>DEVICE_NAME</var>-factory-2021110122.zip.sig</pre>
 
-                <p>Verify the factory images using the signature if you were able to obtain
-                <code>signify</code> from trusted package repositories (see above), otherwise
-                continue on to the next section without this:</p>
+                <p>Verify the factory images using the signature if you were able to obtain OpenSSH
+                from trusted package repositories (see above), otherwise continue on to the next
+                section without this:</p>
 
                 <pre>signify -Cqp factory.pub -x <var>DEVICE_NAME</var>-factory-2021110122.zip.sig &amp;&amp; echo verified</pre>
 

static/install/index.html

@@ -53,7 +53,7 @@ <h1><a href="#install">Install</a></h1>
             on.</p>
 
             <p>The command-line approach offers a way to install GrapheneOS without trusting our
-            server infrastructure. This requires being on an OS with proper fastboot and signify
+            server infrastructure. This requires being on an OS with proper fastboot and OpenSSH
             packages along with understanding the process enough to avoid blindly trusting the
             instructions from our site. For most users, the web-based installation approach is no
             less secure and avoids needing any software beyond a browser with WebUSB support.</p>

static/js/redirect.js

@@ -28,6 +28,8 @@ const redirects = new Map([
 
     ["/build#enabling-updatable-apex-components", "/build#apex-components"],
 
+    ["/install/#obtaining-signify", "/install/cli#obtaining-openssh"],
+
     // legacy devices
     ["/releases#marlin-stable", "/faq#legacy-devices"],
     ["/releases#marlin-beta", "/faq#legacy-devices"],