Odyssey Linux public signing keys and cross-signed key attestation

Find a file

nobody a330731513 Publish Odyssey public signing keys + cross-signed attestation		2026-06-06 12:06:41 +01:00
cosign.pub	Publish Odyssey public signing keys + cross-signed attestation	2026-06-06 12:06:41 +01:00
ether-repo.pub	Publish Odyssey public signing keys + cross-signed attestation	2026-06-06 12:06:41 +01:00
odyssey-key-attestation.txt	Publish Odyssey public signing keys + cross-signed attestation	2026-06-06 12:06:41 +01:00
odyssey-key-attestation.txt.cosign.bundle	Publish Odyssey public signing keys + cross-signed attestation	2026-06-06 12:06:41 +01:00
odyssey-key-attestation.txt.xbps-sig.b64	Publish Odyssey public signing keys + cross-signed attestation	2026-06-06 12:06:41 +01:00
README.md	Publish Odyssey public signing keys + cross-signed attestation	2026-06-06 12:06:41 +01:00

README.md

Odyssey Linux — Public Signing Keys

This repository publishes the public signing keys of Odyssey Linux and a cross-signed attestation linking them. It exists so anyone can verify Odyssey packages without trusting the maintainer.

Keys

cosign.pub — ECDSA P-256, verifies the .cosign.bundle files (Sigstore + Rekor).
ether-repo.pub — RSA 4096, verifies the xbps repository signatures.

Cross-signed attestation

odyssey-key-attestation.txt declares that both keys belong to the same maintainer. It is signed by BOTH keys, so each one attests the other.

Verify the cosign signature:

cosign verify-blob --key cosign.pub \
    --bundle odyssey-key-attestation.txt.cosign.bundle \
    odyssey-key-attestation.txt

Verify the RSA signature:

base64 -d odyssey-key-attestation.txt.xbps-sig.b64 > sig.bin
openssl dgst -sha256 -verify ether-repo.pub \
    -signature sig.bin odyssey-key-attestation.txt

Both must return a positive result. If either key is ever compromised, a revocation notice signed by the other key will be published here and at https://odysseylinux.org/security.html