How to verify Qubes

[myblackc...@gmail.com]

Hello community,

first i want say, that iam a new member of this google-group and i want greet all. :)

Iam a newbie of Qubes(Linux) and i use Windows 10 at time.

Today I downloaded the current ISO image from the main page. Since I'm not so good with Linux in general, I turn to you.

I downloaded the Qubes master signing key and try to verify it.

Since I use Windows 10, I have also downloaded the program GPGEX. I open the program Cleopatra and click on the field "import". The tool gives me the hint that the certificate must first be authenticated and I have to create my own PGP certificate to verify others. After the mentioned configuration I get a key. Is this the Qubes key?
How can I tell that this is the right key?

For example, when I click the Decrypt / Verify tab in Kleopatra, I get the error message that the key contains certificates and can not be decrypted.

When I enter the commands from the Qubes page into the Windows command prompt, I get the error message no such file...

What am I doing wrong?

I hope my question is not ridiculous and someone can help me.

Previously, I never dealt with PGP and the like.
I would be very happy about many answers.

Thanks in advance

[Chris Laprise]

You need the Qubes 4 Signing key in addition to the master key and the
signature.

If you don't mind using the shell, I posted a shortened verification
howto here:
https://groups.google.com/d/msgid/qubes-users/f27a5258-419a-6b18-cb4f-a424746b8e34%40posteo.net

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Neelix]

Hi,


Try using this guide to verify the checksum.

https://bhoover.com/how-to-verify-checksum-windows/

--
Regards,

Neelix
PGP: 289C 2E3B A021 FAE8 9529 A128 1528 9E56 B4BE 1DD3

[myblackc...@gmail.com]

Hey guys,

thanks alot for your help and feedbacks.Its cool t know that someone can help me :)

@ Chris Laprise

I download the qubes master signing key
qubes release 4 signing key
and the signature (Qubes-R4.0-x86_64.iso)

I following your tutorial and opened the windows command promp.
I type the commands gpg2 --import qubes-master-signing-key.asc. After this i become the error message "No such file or directory". I memory all files into the download folder. Its important for me to work with the Dos, because i want learn it on the hard way :D

On the Qubes main site i try too, to write the commands on the main site into the windows command promp.But both not work well.Mh, what iam doing wrong?

@ Neelix

Before i use the checksum tool for Windows, but i forget the name of the tool. Thanks to post it. Thumbs up.I will try it again.

About your messages i would be happy again.

regards

[myblackc...@gmail.com]

Hey,

when i open the master signing key with the tool checksum utility and want verify it, i become the message "Hash does not match".

regards

[cooloutac]

The tool for windows you might be thinking of is certutil, from cmd prompt:

certUtil -hashfile pathtofile.iso SHA256

[myblackc...@gmail.com]

Hey guys,

i following the tutorial which Chris wrote.

It works, but by the last step "verify the Iso" i become this message.

http://www.bilder-upload.eu/show.php?file=fe395a-1523890343.png

The Screenshot from the command promp i uploaded to a hoster.

Is this Iso not correct?

About a message i would be happy.

regards and thx in advance

[myblackc...@gmail.com]

Hey,

thread can be closed. It works perfectly.

@Chris Laprise

Your Thread was very helpful. Thumbs up.

Thanks to all.

regards

[Tobias Killer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Am 16.04.2018 um 16:53 schrieb myblackc...@gmail.com:
> Hey guys,

Hello,

>
> i following the tutorial which Chris wrote.
>
> It works, but by the last step "verify the Iso" i become this
> message.
>
> http://www.bilder-upload.eu/show.php?file=fe395a-1523890343.png
>
> The Screenshot from the command promp i uploaded to a hoster.
>

Since it's written in German, I'll roughly transcript and translate
the screenshot here:

==============================================
C:\Users\cyper\Downloads>gpg --verify Qubes-R4.0-x86_64.iso.asc
Qubes-R4.0-x86_64.iso
gpg: Signature made We 28 Mar 2018 05:31:04 CEST
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: Good signature from "Qubes OS Release 4 Signing Key" [undefined]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 5817 A43B 283D E5A9 181A 522E 1848 792F 9E27
95E9
==============================================

It tells you that the signature itself is correct which means that the
ISO file you have has not been manipulated and is in fact from the
Qubes OS project AS LONG AS the "Qubes OS Release 4 Signing Key" you
have is NOT A FAKE.

Your GPG does not know if the signing key you have is a fake or not.
This means that GPG cannot confirm if the signature you verified is
really from the Qubes OS project or not. That's what the warning
message is about.

If you trust the key then everything is fine. Here

https://www.qubes-os.org/security/verifying-signatures/#importing-qubes-signing-keys

is a list of ideas how you can check if the fingerprint of the key you
have equals the fingerprint of the real "Qubes OS Release 4 Signing
Key". If they match, using several sources, then it's likely that you
have the real key.

> Is this Iso not correct?

As long as you trust the signing key.

>
> About a message i would be happy.
>
> regards and thx in advance
>

Regards,
Tobias
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE9VOPt2yY9xS+XKzULaXvb25AsygFAlrU0eEACgkQLaXvb25A
sygeYw//c6ciaT1ajSCwJCNBEJG1ijTRhHFoZvpf1b0BVPwymbuWoW9Zc27DdLYT
SUb8DL6f+5xNLMBxQrpDMKpantKg0uf47p6NrPUVACNAL575pRUC4B/45WbqxITj
HsE3R95c8K0ZZME9wNgAiCK1WsmtuKwzHH+zubvh2ME7or3+lvKUzSnxLbScR3pU
PcP1IN0QpAEI/MPz9hfVbtWDnEZIVMRNY5yS6GxBC6EBNxMh8avK2eg8FqGzWUKO
RBHy1CzaY9jIv3AlnLzUGZ8v04V8fGkVNgsX0AzCbE0LbGZgNC1X83ELqzOcp9Ti
4OnnyJqI+S89Jhj4AnHOAZvl5NrPoecViZQ6KcN5p8qWrHR4D/g2vggHqRqO3dmI
7CTu2qGmuvtxKYjF3rA121MVbc+nygmZLqwUhxTiqUI5bpVIh8HKhtGLoEnzAb+2
J9vgMmqOGgeAsGupXyB2R8GFVPQblan+YsohzRfILs/y7Buv/+ZeBiafVip/IipB
T+pezyjYZ2isMiUOCQ8n4tZQWiNW21J+LayC/lqIM5a9w9G7C8mlAMozhfQYz/5u
2ZJmNZ+IzVmo1fBR3/MkrkX750BQoYYsGIUdwm4pnVgBMCwQoIRa+kn+hjWe+4w1
FaEWhQD0+l0YAlPErSVb9DCua4yv6tDR/fAzh7c9o8yZHxlwYQw=
=1DEv
-----END PGP SIGNATURE-----

[Tobias Killer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey,

Am 16.04.2018 um 18:13 schrieb myblackc...@gmail.com:
> thread can be closed. It works perfectly.

If you're really concerned about security then you should verify that
the signing key you have is the real one, as I described in my very
recent email.

A system booted from a compromised ISO could also "work perfectly" but
compromise your computer system. A real attacker won't warn you but
give you the illusion that everything was fine.

Regards,
Tobias
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE9VOPt2yY9xS+XKzULaXvb25AsygFAlrU1NIACgkQLaXvb25A
sygKCw//THbuuxTK9MVFWqlkr+NSsxEecwT+sK35f6c1l3tR815Pa2aShmIJYkaP
PML7YjbKnR/YYeIAiBfbsWOdoZDmTi5GhNU0INhC9WYrLAmANjG7kI+YT+7IARR5
K3lRn4aE1qCGf5ZlHROrfSLLwyQZd5oBPr+D3KTJRffG5Sp/z7CE+95ptaclT39Q
rikXkYFnxQ212ZLsnjpymFKQ7TG99qy/YYOroBCURSPwU5CjJUCeeO9zusO9r/VQ
GW6A4cv5AArv6DPtX1imgSOFsHzrEQZnHHrYVTBqc5j64nM2+QtgNlhz3MzGA/np
SJ52tOn1/FuhDMuLnCE5h3PoC4Ttauo2U8Jz51LQYWnA5hnjb8yQR/O9lYLLMTvL
29wR+wun+KnrlcPLwASTTYLc2W+XumwS6VOpNcbZgkgHlL4Iu8bZ5B4l+je+1wpD
/VFKY3h7mkvYukxy8CZrnPrJa26yTOfo8ScllKoWwgU/hSBK9JSklnHHc1b4VzhX
TcBQRZpBDhDV4ODjE2542TsZSuzqEzyB1s3tGF+hgKcZuZ2eIhuF1Qrr0nyc/VB6
jGHCTC+00+EhTq1cXqopRx1jbiHwhzHLEvNJyG7LFehjLaOAjazB6DJ9CqOnsOQm
zcL6uqC0KZ6x31Uu+EZzwBRnL5HPrYRq48ToidnX94TgVBLSmmc=
=6s5Z
-----END PGP SIGNATURE-----