What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?

[O K]

I've downloaded the iso and gotten the sha-256 of the file from the MD5/SHA utility.  I just need to figure out how to verify that number with the actual checksum.  I cannot for the life of me figure out the GPG, PGP, PCP or whatever else it is.

[sourcexorapprentice]

The process is to verify the Qubes ISO signature is correct, and not to trust a SHA256 checksum posted on the same website hosting the file. The hash only confirms the integrity and not the validity of the file (which may be infected). It's a security theater exercise we're used to doing elsewhere in order to provide us with the warm fuzzy feeling of a false sense of security.

Instructions here on how to verify the latest Qubes ISO is legitimate:

https://www.qubes-os.org/security/verifying-signatures/

[O K]

Well the issue is the computer doesn't have access to internet at the moment.  I have the sig file, master key file, and the iso, I just want to know if there is some way to go through the whole process of verification without the internet, by just checking numbers manually.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 18/08/2019 11.56 AM, O K wrote:
> Well the issue is the computer doesn't have access to internet at
> the moment. I have the sig file, master key file, and the iso, I
> just want to know if there is some way to go through the whole
> process of verification without the internet, by just checking
> numbers manually.
>

Yes:

1. Hash the ISO on the computer without internet access.

2. On a computer with internet access, verify the signature on the
.DIGESTS file (or otherwise obtain a verified hash value).

3. Manually compare the value generated in step 1 with the corresponding
verified value obtained in step 2 in order to ensure they match.

P.S. -- Please avoid top-posting.

> On Saturday, August 17, 2019 at 2:41:49 PM UTC-4,
> sourcexorapprentice wrote:
>>
>> The process is to verify the Qubes ISO signature is correct, and
>> not to trust a SHA256 checksum posted on the same website hosting
>> the file. The hash only confirms the integrity and not the
>> validity of the file (which may be infected). It's a security
>> theater exercise we're used to doing elsewhere in order to
>> provide us with the warm fuzzy feeling of a false sense of
>> security.
>>
>> Instructions here on how to verify the latest Qubes ISO is
>> legitimate:
>> https://www.qubes-os.org/security/verifying-signatures/
>>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1ZjkAACgkQ203TvDlQ
MDD38A//Q4v/Kpvzxb/ur9X2BU1PwkHh7S3309FgwzJu5dM4Om9XzkTsHtyUsdAd
vnTtWCq/3jNaJQMS9NUOVHYoEkygnVUIzuGNgNlVwB42CwYWw8j5IieSY5UmtHrb
JQBfRqxmLYio4Q9D7r+Krk3esOb8QrG8KvFedweCmxDlmbdcsDxPyKhzkGEIq32H
nj9nDyS8yDtU2ktZHb/773zkJM7ByKhitFMhBmis1thzKGweKvlWOligkYs5HPDv
uQaLeg+dpbXMFaPfA9CCYbuF0PYyT0IWIp4jqAvPm2OzNP23PwqpekVUW1hMjjS9
zHfFJHwf6tx6iuy/akDGaTPlYqlwqZHJpz3bSXrgqcNK1BK/7GrXL2VxjMg58h9Q
rw5xEfe8mNK7ozGCPWp0dFnaMw9KRwfpZAek1Bs/NFsyWKo8SABauRwX/Oin+HRl
/JhQ33VuE3BvyjTUML+0Oup2QCTCmJNSIZCkh5+6yFuetHhT+Zsux5aR3cpVH02B
oPRwCyLXjrEA/kmq9OVjNfFzY8fX9SIGueKvkj+mtOEAbkQf0q16kOviYbs4huOB
wObYYVPuhpQYK1zHIoHBMOrBQeV0kmixtK44StiP0vYoDvbHJvhzT4iqnyO9tR2V
YqIIP5HjGZeVHI60+QskdFR1s2dkFIQfX4M/LhnP7aOct6iH9BM=
=ny2S
-----END PGP SIGNATURE-----

[O K]

Yeah, I just want to know how to get the actual SHA-256 of the Qubes ISO.  I don't know how to use DIGESTS.  Is verifying the master file and sig file a different process than comparing the sha-256?  Do they provide the same level of security.  Sorry, I know it's a pain bc I don't know much, but a yes or no is fine, I just want to be sure either process is fine.  Checking sha-256 would be easiest for me since I already have it for the file I downloaded.  And what is top-posting?  Thanks.

[O K]

Ok, I figured out the difference between sha and other process and I guess it would be better to use the other process.  I found some good instructions along with qubes instructions so I will try to implement those.  Thanks.

On Sunday, August 18, 2019 at 1:43:41 PM UTC-4, Andrew David Wong wrote:

[O K]

But what I don't understand is how to get the fingerprint of the master key that I downloaded, so I can compare it to the ones online.  The number in the text is much longer than the fingerprint.

On Sunday, August 18, 2019 at 1:43:41 PM UTC-4, Andrew David Wong wrote:

[American Qubist 001]

On Sunday, August 18, 2019 at 1:20:30 PM UTC-7, O K wrote:

Ok, I figured out the difference between sha and other process and I guess it would be better to use the other process.  I found some good instructions along with qubes instructions so I will try to implement those.  Thanks.

Reply: I perform both the sha256sum verification on all downloaded ISO's and also, unless I am lazy or in a rush, verify the signatures with gpg. As stated in another reply, this safeguards in case there is a fake sha256sum which, conveniently, matches a fake ISO installed by a malicious actor.

OK wrote:  Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?

Yeah, I just want to know how to get the actual SHA-256 of the Qubes ISO.  I don't know how to use DIGESTS.  Is verifying the master file and sig file a different process than comparing the sha-256?

Reply: They are different as per my above answer. However, afaik both not either.

Tip: If you have the DIGEST, finding it often being the hard part, you are home free. Just find the line that corresponds to the version of the ISO you have. The correct sha256sum is listed right there.

OK wrote:   Sorry, I know it's a pain bc I don't know much, but a yes or no is fine, I just want to be sure

I been into Qubes about three years still consider myself a newbie. Tip: do as much reading and tweaking on one's own before posting.

OK wrote: And what is top-posting?  Thanks.

Top posting is when you write above rather than below what you are replying to. It is sometimes the default when you hit "Reply" on email, so afaik it is better to go to the google groups web page where you have more control.

[American Qubist 001]

O K you have asked many different questions as you have proceeded, and I don't have a problem with that. At this point, you are asking the same question as this thread. I direct yo to the stack exchange link in that thread, which does ask other questons but they hinge on the answer to the quesstion of what gpg command will work to see the footprint of the xxx.pubkey file. https://groups.google.com/forum/#!topic/qubes-users/v9aaQ1SAG9I

[unman]

Dont top-post on this list.
If your mailer puts the cursor at the top of the message, scroll to the
bottom before you start typing.
It takes you seconds, but makes it easier for everyone else who reads
your messages

Did you read the guide here - https://www.qubes-os.org/doc/installation-guide/

The signature on the web site uses short form (Qubes Master Signing Key
(0xDDFA1A3E36879494) )
gpg qubes-master-signing-key.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2010-04-01 [SC]
427F11FD0FAA4B080123F01CDDFA1A3E36879494
uid Qubes Master Signing Key

That is long form of fingerprint - if you look at the end you will see
*the same* characters.

[O K]

Ok sorry didn't know about the top posting thing, will be sure not to do it.  My Qubes installer has been verified!  Yay!  thanks to everyone for your help!

--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/_nvI2ypREpY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190819161614.GA32650%40thirdeyesecurity.org.