I am unable to verify my image. Please help?
Optimal Joy
I have downloaded my images and keys. Also got the master signing key.
user Downloads # wget https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso && wget https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc && wget https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso.asc
...
snip
...
I have these files now in my ~/Downloads directory:
-rw-r--r-- 1 elliot elliot 1.6K Jan 25 11:21 qubes-master-signing-key.asc
-rw-r--r-- 1 root root 819 Sep 20 2016 Qubes-R3.2-x86_64.iso.asc
-rw-r--r-- 1 root root 4.0G Sep 20 2016 Qubes-R3.2-x86_64.iso
-rw-r--r-- 1 root root 2.4K Nov 19 2014 qubes-release-3-signing-key.asc
I tried this command earlier to fetch the qubes-master key,
~/Downloads $ gpg2 --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
gpg: WARNING: unable to fetch URI https://keys.qubes-os.org/keys/qubes-master-signing-key.asc: General error
Since it wasn't working, I manually downloaded the file from the Qubes site, however I am afraid that I only have the file, but have not imported the public key.
When trying to verify the iso, I get the following error:
Downloads # gpg2 --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
gpg: Signature made Tue 20 Sep 2016 10:33:37 AM PDT using RSA key ID 03FA5082
gpg: Can't check signature: No public key
How can I download/get my Public Key manually? Or what could be wrong with my fetch?
Help, thanks!
Chris Laprise
$ gpg2 --import qubes-master-signing-key.asc
$ gpg2 --import qubes-release-3-signing-key.asc
Then use --edit-key to set trust level to 4 on master key:
$ gpg2 --edit-key 36879494
gpg> trust
gpg> save
Then check that master<>release signatures are valid:
$ gpg2 --check-sigs
You'll see the release key as "uid ... Qubes OS Release 3 Signing Key"
and directly underneath a line like:
"sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key"
After all of this, the thing that validates the Signing key is "sig!".
It shows the Release key has been signed by the Master key and "!" means
the signature is valid.
At this point, if you have taken care to verify the Master key by
retrieving it or viewing its fingerprint through other channels, then
your keys are all set. (Some people skip most of this and only import
the Singing key and verify its fingerprint, but I digress.)
You can now do the --verify step.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Optimal Joy
> If you have the key files on disk, use --import:
> $ gpg2 --import qubes-master-signing-key.asc
> $ gpg2 --import qubes-release-3-signing-key.asc
>
> Then use --edit-key to set trust level to 4 on master key:
> $ gpg2 --edit-key 36879494
> gpg> trust
> gpg> save
>
> Then check that master<>release signatures are valid:
> $ gpg2 --check-sigs
>
> You'll see the release key as "uid ... Qubes OS Release 3 Signing Key"
> and directly underneath a line like:
> "sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key"
>
> After all of this, the thing that validates the Signing key is "sig!".
> It shows the Release key has been signed by the Master key and "!" means
> the signature is valid.
>
> At this point, if you have taken care to verify the Master key by
> retrieving it or viewing its fingerprint through other channels, then
> your keys are all set. (Some people skip most of this and only import
> the Singing key and verify its fingerprint, but I digress.)
>
> You can now do the --verify step.
Thank you Chris (and sorry for the late response). I was able to verify my image.