PolymerOS docs

People

Verify a download

source=docs/user/verify-a-download.md sha256=927792098a873cf2

Agent-assisted draft. The commands are checked against repository sources, but the guide copy has not completed human editorial review.

Every PolymerOS release directory carries a SHA256SUMS file and a detached minisign signature over it. Two commands prove your download is intact and came from the build pipeline. Run both from inside the download folder before you boot anything.

The two commands

minisign -Vm SHA256SUMS -P RWQca8J06MT1pNV/h3ALWu97juZJzQ1KKIDyj4R88VhJTyLMG/l2yfBx
sha256sum -c SHA256SUMS

What each command proves

Taken together: the signature vouches for the checksums, and the checksums vouch for the files. You never need anything beyond sha256sum, minisign, and the public key to verify a download. If either command fails, do not use the download.

What the chaos key is, and is not

The key that signs Chaos builds is polymer-dev-auto-1, a passwordless automation key held on the build coordinator so the pipeline can sign Chaos and dev artifacts automatically once a build passes its gauntlet. It grants nothing above Chaos: a signature from it means only that this pipeline produced the artifact, not that the artifact was reviewed or promoted. Promotion to Alpha and Beta re-signs with the operator-held polymer-dev key (which requires an operator password), and Stable will require 2-of-3 threshold approval. These are development keys generated 2026-07-04 and labeled not for production; the public keys and the promotion policy live in keys/ in the repository so you can check them against what signed your download.