-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 18/08/2019 11.56 AM, O K wrote:
> Well the issue is the computer doesn't have access to internet at
> the moment. I have the sig file, master key file, and the iso, I
> just want to know if there is some way to go through the whole
> process of verification without the internet, by just checking
> numbers manually.
>
Yes:
1. Hash the ISO on the computer without internet access.
2. On a computer with internet access, verify the signature on the
.DIGESTS file (or otherwise obtain a verified hash value).
3. Manually compare the value generated in step 1 with the corresponding
verified value obtained in step 2 in order to ensure they match.
P.S. -- Please avoid top-posting.
> On Saturday, August 17, 2019 at 2:41:49 PM UTC-4,
> sourcexorapprentice wrote:
>>
>> The process is to verify the Qubes ISO signature is correct, and
>> not to trust a SHA256 checksum posted on the same website hosting
>> the file. The hash only confirms the integrity and not the
>> validity of the file (which may be infected). It's a security
>> theater exercise we're used to doing elsewhere in order to
>> provide us with the warm fuzzy feeling of a false sense of
>> security.
>>
>> Instructions here on how to verify the latest Qubes ISO is
>> legitimate:
>>
https://www.qubes-os.org/security/verifying-signatures/
>>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1ZjkAACgkQ203TvDlQ
MDD38A//Q4v/Kpvzxb/ur9X2BU1PwkHh7S3309FgwzJu5dM4Om9XzkTsHtyUsdAd
vnTtWCq/3jNaJQMS9NUOVHYoEkygnVUIzuGNgNlVwB42CwYWw8j5IieSY5UmtHrb
JQBfRqxmLYio4Q9D7r+Krk3esOb8QrG8KvFedweCmxDlmbdcsDxPyKhzkGEIq32H
nj9nDyS8yDtU2ktZHb/773zkJM7ByKhitFMhBmis1thzKGweKvlWOligkYs5HPDv
uQaLeg+dpbXMFaPfA9CCYbuF0PYyT0IWIp4jqAvPm2OzNP23PwqpekVUW1hMjjS9
zHfFJHwf6tx6iuy/akDGaTPlYqlwqZHJpz3bSXrgqcNK1BK/7GrXL2VxjMg58h9Q
rw5xEfe8mNK7ozGCPWp0dFnaMw9KRwfpZAek1Bs/NFsyWKo8SABauRwX/Oin+HRl
/JhQ33VuE3BvyjTUML+0Oup2QCTCmJNSIZCkh5+6yFuetHhT+Zsux5aR3cpVH02B
oPRwCyLXjrEA/kmq9OVjNfFzY8fX9SIGueKvkj+mtOEAbkQf0q16kOviYbs4huOB
wObYYVPuhpQYK1zHIoHBMOrBQeV0kmixtK44StiP0vYoDvbHJvhzT4iqnyO9tR2V
YqIIP5HjGZeVHI60+QskdFR1s2dkFIQfX4M/LhnP7aOct6iH9BM=
=ny2S
-----END PGP SIGNATURE-----