Qubes Download Verification
199 views
Skip to first unread message
vwic...@use.startmail.com
Jun 18, 2016, 10:54:13 PM6/18/16
to qubes...@googlegroups.com
Hello, I have a question about a downloaded .iso verification.
A good .iso signature is verified and hash and digest verifications are good however on the "--list sig" command, there was a second sig 3, 0x4BD7C4EEE2986940 2016-01-04 [User ID not found].
Upon requesting the public key I received, key 0x4BD7C4EEE2986940: public key "Kabine Diane <kab...@me.com>.
A"--list sig" command of that key shows as revoked. Please see below.
This doesn't seem to be the desired output. Have I missed something?
Any help with this would be appreciated as I don't want to load a compromised .iso.
Thanks
gpg -v --verify Qubes-R3.1-x86_64.iso.asc Qubes-R3.1-x86_64.iso
gpg: armor header: Version: GnuPG v1
gpg: Signature made Wed 09 Mar 2016 03:40:56 AM UTC
gpg: using RSA key 0xCB11CA1D03FA5082
gpg: using PGP trust model
gpg: Good signature from "Qubes OS Release 3 Signing Key" [full]
gpg: binary signature, digest algorithm SHA256
gpg --list-sig 03FA5082
pub 4096R/0xCB11CA1D03FA5082 2014-11-19
uid [ full ] Qubes OS Release 3 Signing Key
sig 0xDDFA1A3E36879494 2014-11-19 Qubes Master Signing Key
sig 3 0x4BD7C4EEE2986940 2016-01-04 [User ID not found]
sig 3 0xCB11CA1D03FA5082 2014-11-19 Qubes OS Release 3 Signing Key
gpg --list-sig E2986940
gpg: error reading key: public key not found
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4BD7C4EEE2986940
gpg: requesting key 0x4BD7C4EEE2986940 from hkp server pool.sks-keyservers.net
gpg: key 0x4BD7C4EEE2986940: public key "Kabine Diane <kab...@me.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg --list-sig E2986940
pub 4096R/0x4BD7C4EEE2986940 2016-01-04 [revoked: 2016-01-04]
rev 0x4BD7C4EEE2986940 2016-01-04 Kabine Diane <kab...@me.com>
uid [ revoked] Kabine Diane <kab...@me.com>
sig 3 0x4BD7C4EEE2986940 2016-01-04 Kabine Diane <kab...@me.com>
A good .iso signature is verified and hash and digest verifications are good however on the "--list sig" command, there was a second sig 3, 0x4BD7C4EEE2986940 2016-01-04 [User ID not found].
Upon requesting the public key I received, key 0x4BD7C4EEE2986940: public key "Kabine Diane <kab...@me.com>.
A"--list sig" command of that key shows as revoked. Please see below.
This doesn't seem to be the desired output. Have I missed something?
Any help with this would be appreciated as I don't want to load a compromised .iso.
Thanks
gpg -v --verify Qubes-R3.1-x86_64.iso.asc Qubes-R3.1-x86_64.iso
gpg: armor header: Version: GnuPG v1
gpg: Signature made Wed 09 Mar 2016 03:40:56 AM UTC
gpg: using RSA key 0xCB11CA1D03FA5082
gpg: using PGP trust model
gpg: Good signature from "Qubes OS Release 3 Signing Key" [full]
gpg: binary signature, digest algorithm SHA256
gpg --list-sig 03FA5082
pub 4096R/0xCB11CA1D03FA5082 2014-11-19
uid [ full ] Qubes OS Release 3 Signing Key
sig 0xDDFA1A3E36879494 2014-11-19 Qubes Master Signing Key
sig 3 0x4BD7C4EEE2986940 2016-01-04 [User ID not found]
sig 3 0xCB11CA1D03FA5082 2014-11-19 Qubes OS Release 3 Signing Key
gpg --list-sig E2986940
gpg: error reading key: public key not found
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4BD7C4EEE2986940
gpg: requesting key 0x4BD7C4EEE2986940 from hkp server pool.sks-keyservers.net
gpg: key 0x4BD7C4EEE2986940: public key "Kabine Diane <kab...@me.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg --list-sig E2986940
pub 4096R/0x4BD7C4EEE2986940 2016-01-04 [revoked: 2016-01-04]
rev 0x4BD7C4EEE2986940 2016-01-04 Kabine Diane <kab...@me.com>
uid [ revoked] Kabine Diane <kab...@me.com>
sig 3 0x4BD7C4EEE2986940 2016-01-04 Kabine Diane <kab...@me.com>
Andrew David Wong
Jun 19, 2016, 10:19:42 AM6/19/16
to vwic...@use.startmail.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-06-18 19:54, vwic...@use.startmail.com wrote:
> Hello, I have a question about a downloaded .iso verification.
>
> A good .iso signature is verified and hash and digest verifications
> are good however on the "--list sig" command, there was a second
> sig 3, 0x4BD7C4EEE2986940 2016-01-04 [User ID not found].
>
> Upon requesting the public key I received, key 0x4BD7C4EEE2986940:
> public key "Kabine Diane <kab...@me.com>.
>
> A"--list sig" command of that key shows as revoked. Please see
> below.
>
> This doesn't seem to be the desired output. Have I missed
> something? Any help with this would be appreciated as I don't want
> to load a compromised .iso. Thanks
>
It sounds like you may be confused about how PGP works. The
`--list-sigs` option simply lists the signatures on a key or keys.
Anyone can sign anyone else's public key and upload the signed public
key to keyservers. We couldn't stop that even if we wanted to. That's
just the nature of PGP. Everyone is also free to revoke their own keys
at any time (assuming they possess or can create a revocation
certificate).
So, what happened here is that someone created a key
(0x4BD7C4EEE2986940), added the uid "Kabine Diane <kab...@me.com>"
(which may or may not be the key creator's real identity), used the
key to sign the Qubes OS Release 3 Signing Key, then revoked their key.
Since we don't know anything about this revoked key, this tells us
exactly nothing about the trustworthiness of the Qubes OS Release 3
Signing Key.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXZqn0AAoJENtN07w5UDAwmhMQAItKuZSYH4SA0sGncVd4BRpZ
KBwVtJnBkYeaqTRgQuGilfKxEpKyD8k5do0KIvydma3hnXOVji6KtrHkZnh1F+A+
ux00ZgCmBW6owpzgSIC7/uXwws4+6zx+ZiKQrUNZnRAFoW5VhVwGahq8DoSj58ZI
6SHkZ4YaVs24GNvJpL2r5YF4cryYl4wwtbXQFZhCAMtRQxP3ocpFvb+ItBO/k+p/
C0tbtkenDuh2SFyG2olfjsc1Kimc1mENd3IY80OU8qOy1Siz2ZJuXBLF6G7U54dX
2i3kzU+EvQjg/BMTxkQdoTOWEm52SqUywRUf5/F3Ss++lggwnFEUXOpTOZ8cT2YN
rrWIvWtAVvLYfcguvve2iOW2gfY3fuQf/qJZjq1QM9nGHI1QRaN8a8dCb4nEFEki
a3RCIApfZc8xfHaeWuJHMCBczyGeIqZWF3o1HXhZthCtiueopUWt/krlCjsJo8Z6
FjibgFzQo6kVzOgE7LH50OG2fJgvnE+L1vUCNFKmWuls3wf9Zd03HbJR3NfPDY7R
4wgEX2xHsmAG5dprWmx6dl49Z/cNrws1gR5yT5ZIxm9viyZa6Gdwez7TIMN6shm5
HYF2YObDfHdZxh1qa8YNNjOOmoDwtNEFCj+XqwGJgzBe6Fz4n9zTeeeFwYbpUXen
beqYK4dywf/38njOffIx
=khGR
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-06-18 19:54, vwic...@use.startmail.com wrote:
> Hello, I have a question about a downloaded .iso verification.
>
> A good .iso signature is verified and hash and digest verifications
> are good however on the "--list sig" command, there was a second
> sig 3, 0x4BD7C4EEE2986940 2016-01-04 [User ID not found].
>
> Upon requesting the public key I received, key 0x4BD7C4EEE2986940:
> public key "Kabine Diane <kab...@me.com>.
>
> A"--list sig" command of that key shows as revoked. Please see
> below.
>
> This doesn't seem to be the desired output. Have I missed
> something? Any help with this would be appreciated as I don't want
> to load a compromised .iso. Thanks
>
`--list-sigs` option simply lists the signatures on a key or keys.
Anyone can sign anyone else's public key and upload the signed public
key to keyservers. We couldn't stop that even if we wanted to. That's
just the nature of PGP. Everyone is also free to revoke their own keys
at any time (assuming they possess or can create a revocation
certificate).
So, what happened here is that someone created a key
(0x4BD7C4EEE2986940), added the uid "Kabine Diane <kab...@me.com>"
(which may or may not be the key creator's real identity), used the
key to sign the Qubes OS Release 3 Signing Key, then revoked their key.
Since we don't know anything about this revoked key, this tells us
exactly nothing about the trustworthiness of the Qubes OS Release 3
Signing Key.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXZqn0AAoJENtN07w5UDAwmhMQAItKuZSYH4SA0sGncVd4BRpZ
KBwVtJnBkYeaqTRgQuGilfKxEpKyD8k5do0KIvydma3hnXOVji6KtrHkZnh1F+A+
ux00ZgCmBW6owpzgSIC7/uXwws4+6zx+ZiKQrUNZnRAFoW5VhVwGahq8DoSj58ZI
6SHkZ4YaVs24GNvJpL2r5YF4cryYl4wwtbXQFZhCAMtRQxP3ocpFvb+ItBO/k+p/
C0tbtkenDuh2SFyG2olfjsc1Kimc1mENd3IY80OU8qOy1Siz2ZJuXBLF6G7U54dX
2i3kzU+EvQjg/BMTxkQdoTOWEm52SqUywRUf5/F3Ss++lggwnFEUXOpTOZ8cT2YN
rrWIvWtAVvLYfcguvve2iOW2gfY3fuQf/qJZjq1QM9nGHI1QRaN8a8dCb4nEFEki
a3RCIApfZc8xfHaeWuJHMCBczyGeIqZWF3o1HXhZthCtiueopUWt/krlCjsJo8Z6
FjibgFzQo6kVzOgE7LH50OG2fJgvnE+L1vUCNFKmWuls3wf9Zd03HbJR3NfPDY7R
4wgEX2xHsmAG5dprWmx6dl49Z/cNrws1gR5yT5ZIxm9viyZa6Gdwez7TIMN6shm5
HYF2YObDfHdZxh1qa8YNNjOOmoDwtNEFCj+XqwGJgzBe6Fz4n9zTeeeFwYbpUXen
beqYK4dywf/38njOffIx
=khGR
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages