Confused about verifying signatures
62 views
Skip to first unread message
Patrick Bouldin
Aug 16, 2018, 4:47:16 PM8/16/18
to qubes-users
Hi trying to validate 4.0. I downloaded the qubes-master-signing-key.asc and then not able to progress. I did find Joanna's qubes master signing key footprint, but I don't know how to compare or take the next step...
I did this with 3.0 a few years ago but can't remember...
I did check the web site and still don't know.
Thanks.
Andrew David Wong
Aug 16, 2018, 6:35:33 PM8/16/18
to Patrick Bouldin, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
If you just want to see the fingerprint of the key you downloaded as a
file so that you can compare it to the fingerprint you obtained
through another channel, this is probably the simplest way:
$ gpg2 qubes-master-signing-key.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2010-04-01 [SC]
427F11FD0FAA4B080123F01CDDFA1A3E36879494
uid Qubes Master Signing Key
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlt1/BcACgkQ203TvDlQ
MDCmuA//Y7xSLlrHkdO4zLm+7FP3xyBFMCguQkVqLQ5JYcRuvCJRVtORHQL6V/rg
A7WL7pfOaADv9hT8uCgr/wMnjfYE2L3IwyL1l7MzxKDB0XjqE7e/0xwVXRIjj9ow
UynpuDQXsdiRn+Xyj52eLZiNUBrbuNbVjuTXIJTpuasAt0ZVYRLN8abv19EIbmqs
1LmNdIPoHGYW7oFPS64OiZ+phQgVMC28+dkIWF6xo3i9XETSTFvJhB3miwhNYYOq
Ge4Xg9fzFFoz2NTHMPvm7g66hoyTaz6kODFEX7r2Sn6uJVyF/lvBqujg3q2BBiKK
z1UlF/bGQiv9bcKYwgtyd6ipSoNlbTYGkZ3cTIcKA4X/gtVtFI8/mpI+0xG5iaPz
YWs9t3QQoUd/Z5SGZhT4D5aUyMwuo6+jxajNjS4mfjLNuPdbFEvPjNuAFwDamvKW
D0OQJoQ/DVvgVzfU/L0L3bH3GMiutZSyIW69/iZCgaLgUkxU8wduCN0T0o2RrxQz
00qn+LMlYJHe8d2omj1jPQBbuZQ+jetbsj2vZrsnfCVUylGZqzAxcqLJUtxn2NYn
oKYaqd0o9k2zkBgiQv1TEltcekG3h4mTmqa5c6OgJpt+U0dBARHscKdhWE64x/p6
ycAN9dHkpGVcV99PPVeNuh4EmOhxc5lrflUujeUzGS8mUmgqy2w=
=wZdA
-----END PGP SIGNATURE-----
Hash: SHA512
file so that you can compare it to the fingerprint you obtained
through another channel, this is probably the simplest way:
$ gpg2 qubes-master-signing-key.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2010-04-01 [SC]
427F11FD0FAA4B080123F01CDDFA1A3E36879494
uid Qubes Master Signing Key
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlt1/BcACgkQ203TvDlQ
MDCmuA//Y7xSLlrHkdO4zLm+7FP3xyBFMCguQkVqLQ5JYcRuvCJRVtORHQL6V/rg
A7WL7pfOaADv9hT8uCgr/wMnjfYE2L3IwyL1l7MzxKDB0XjqE7e/0xwVXRIjj9ow
UynpuDQXsdiRn+Xyj52eLZiNUBrbuNbVjuTXIJTpuasAt0ZVYRLN8abv19EIbmqs
1LmNdIPoHGYW7oFPS64OiZ+phQgVMC28+dkIWF6xo3i9XETSTFvJhB3miwhNYYOq
Ge4Xg9fzFFoz2NTHMPvm7g66hoyTaz6kODFEX7r2Sn6uJVyF/lvBqujg3q2BBiKK
z1UlF/bGQiv9bcKYwgtyd6ipSoNlbTYGkZ3cTIcKA4X/gtVtFI8/mpI+0xG5iaPz
YWs9t3QQoUd/Z5SGZhT4D5aUyMwuo6+jxajNjS4mfjLNuPdbFEvPjNuAFwDamvKW
D0OQJoQ/DVvgVzfU/L0L3bH3GMiutZSyIW69/iZCgaLgUkxU8wduCN0T0o2RrxQz
00qn+LMlYJHe8d2omj1jPQBbuZQ+jetbsj2vZrsnfCVUylGZqzAxcqLJUtxn2NYn
oKYaqd0o9k2zkBgiQv1TEltcekG3h4mTmqa5c6OgJpt+U0dBARHscKdhWE64x/p6
ycAN9dHkpGVcV99PPVeNuh4EmOhxc5lrflUujeUzGS8mUmgqy2w=
=wZdA
-----END PGP SIGNATURE-----
Andrew David Wong
Aug 16, 2018, 6:43:50 PM8/16/18
to Patrick Bouldin, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2018-08-16 17:35, Andrew David Wong wrote:
> On 2018-08-16 15:47, Patrick Bouldin wrote:
>> Hi trying to validate 4.0. I downloaded the
>> qubes-master-signing-key.asc and then not able to progress. I did
>> find Joanna's qubes master signing key footprint, but I don't know
>> how to compare or take the next step...
>
>> I did this with 3.0 a few years ago but can't remember...
>
>> I did check the web site and still don't know.
>
>> Thanks.
>
>
> If you just want to see the fingerprint of the key you downloaded as a
> file so that you can compare it to the fingerprint you obtained
> through another channel, this is probably the simplest way:
>
> $ gpg2 qubes-master-signing-key.asc
> gpg: WARNING: no command supplied. Trying to guess what you mean ...
> pub rsa4096 2010-04-01 [SC]
> 427F11FD0FAA4B080123F01CDDFA1A3E36879494
> uid Qubes Master Signing Key
>
If you're using gpg instead of gpg2, there's the --with-fingerprint
> On 2018-08-16 15:47, Patrick Bouldin wrote:
>> Hi trying to validate 4.0. I downloaded the
>> qubes-master-signing-key.asc and then not able to progress. I did
>> find Joanna's qubes master signing key footprint, but I don't know
>> how to compare or take the next step...
>
>> I did this with 3.0 a few years ago but can't remember...
>
>> I did check the web site and still don't know.
>
>> Thanks.
>
>
> If you just want to see the fingerprint of the key you downloaded as a
> file so that you can compare it to the fingerprint you obtained
> through another channel, this is probably the simplest way:
>
> $ gpg2 qubes-master-signing-key.asc
> gpg: WARNING: no command supplied. Trying to guess what you mean ...
> pub rsa4096 2010-04-01 [SC]
> 427F11FD0FAA4B080123F01CDDFA1A3E36879494
> uid Qubes Master Signing Key
>
option:
$ gpg --with-fingerprint qubes-master-signing-key.asc
gpg: keyring `/home/user/.gnupg/secring.gpg' created
pub 4096R/36879494 2010-04-01 Qubes Master Signing Key
Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDASEA//a1TzjaaAPwNS12GHWollY2WGqpSK7RZNEsHkBSJYPTaNayqOHXx2yzQ2
Re5uPgpHofCYxNx96VhKFDE9rIo17ozrLrr+ZywESDn5GoIzM7BtUaKTR5GQWZx1
E9vALH50GtNJAdb/SumOcdsDxrDj139wjcAuypWBDXK6lxF2hR/nDr7RZMxvfwTF
uixM4LP7zhwOafLAbhXsa9wyu6ZsooTicdiSit+iQPk15oxLGjUSncQcIYuRLdvX
yLht5/2ZPST1Jm9HyEEwOllMN4eFrMAc/StHhVxPWlUiqtr3xMki3IWZV+xi8sMh
Ri0HmASNzLn4JwNQnPFQqnT+Z4Im8tiH24w/T8eHhP2hLo8tEfd5aq26xl0NoRbU
Hcc69XXjzITQIi2d7YZHgtNgrml8zCjTRF+9p14cLyFFl2ISJsEZeus/egQWE6Rv
aRMR+IPDG8HqCWepV+Y/of3lb+uqd7SBVJdcRavf/Jrlf/9AOeCRDUteTGsiJE14
U9FksIiiZRclcHR+NFeZSbINvwlwNx2tO7o7YcbBxmqPMzsg20gHYfuI3GAnMY/R
yHX52v6sXcM/4Y08TrTTHV1l+/EPUOnOb3adaIejNyEiHB5WiQ3fgoEwpX3GkKTb
iCt4TJJKo6KRSG2EzMMLH0s69gGphqLtgC5+zEQg4X7NWpFzWX4=
=cBsO
-----END PGP SIGNATURE-----
Patrick Bouldin
Aug 17, 2018, 1:58:37 AM8/17/18
to qubes-users
Thanks and a quick question. I did get a final "Good signature", but curious, does that process actually modify the iso at all? Just would like to know because I pulled the iso file from my other pc and it will be easier to build the flash there.
awokd
Aug 17, 2018, 9:03:08 AM8/17/18
to Patrick Bouldin, qubes-users
On Fri, August 17, 2018 5:58 am, Patrick Bouldin wrote:
>>> On 2018-08-16 15:47, Patrick Bouldin wrote:
>>>
>>>> Hi trying to validate 4.0. I downloaded the
>>>> qubes-master-signing-key.asc and then not able to progress. I did
>>>> find Joanna's qubes master signing key footprint, but I don't know
>>>> how to compare or take the next step...
>
>>> On 2018-08-16 15:47, Patrick Bouldin wrote:
>>>
>>>> Hi trying to validate 4.0. I downloaded the
>>>> qubes-master-signing-key.asc and then not able to progress. I did
>>>> find Joanna's qubes master signing key footprint, but I don't know
>>>> how to compare or take the next step...
>
> Thanks and a quick question. I did get a final "Good signature", but
> curious, does that process actually modify the iso at all? Just would
> like to know because I pulled the iso file from my other pc and it will
> be easier to build the flash there.
Assuming you're still talking about the validation process; no, that would
> curious, does that process actually modify the iso at all? Just would
> like to know because I pulled the iso file from my other pc and it will
> be easier to build the flash there.
not modify the iso.
Andrew David Wong
Aug 18, 2018, 2:15:36 AM8/18/18
to Patrick Bouldin, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
> Thanks and a quick question. I did get a final "Good signature", but curious, does that process actually modify the iso at all? Just would like to know because I pulled the iso file from my other pc and it will be easier to build the flash there.
>
No, checking the signature doesn't modify the ISO at all. However, since
>
you're using a second machine to perform the signature verification,
it's worth noting that you should, in principle, trust the second
machine at least as much as the first one. If the second machine were
compromised, it could falsely claim that the signature is good even if
the ISO on the first machine were compromised. (Depending on your threat
model, this risk may be acceptably low. Just thought I'd mention it.)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDD89RAAqO1bys4YGaiFTg5pt17pEGQ5MzXEqd6ryClX03kTmWnEZYypjRqj3rIM
sHZEEDNbMFeo61mKw+x9tjPguQgOPnjOdv9AsG2SR0tJn/fytAHKxb3PyYi4y7SQ
03Nss4n/amfhUQM8U0TGUPwc8T5LJOS7sSyc8QTyUryvDqSar4r0ocjn5xHE91G8
o0Cmk11VLMJqtOHdf2jCIPQq4hOnBGDkw7csmbjzMrj/ZBQH7kwSHHusvhYvPiN0
dJAXFZH+vAWvYJmP8wwCjr8aTNUTupXyWMrRTRBYWKmXI2EsFZq+FeGINFscZKOS
TLH7BRyKwRa1UFm0wltEQKk9rFT7GDoAij/N8341WVBPbfpzOaupZkhk85jOofca
C4yQhosquXzvOpYFhU8N/3JUirOGt+wCt0td6Ji7xdlPiJ92bl7aUy7UN3NzGPDa
O9A8i1EgaMo7uu3ytMPyoVDWC47vun2St3JhiX5ydDgXFefb9JAvnaT6JBuAE03k
zEdQN7nfqmQMdwfAgyNYN60VQEa/B6aa1FXA+ZAU93qYr/c/qZz9dAhIKHL1nQzp
HEmVyUOWGGelsdc8utZtSxH+D4niORYEwRFZmvFMk/9SSr9vtICdTKjmkE2SrMJa
QXWukqraTy2fT6uRsV7mrOV09vmcrl//AAhv7oAIruX5PVSVpoE=
=e9xj
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages