Verifying Qubes 4.0
Steven Walker
Can someone help me through this?
Thank you,
Steven
Chris Laprise
and gpg itself:
https://www.qubes-os.org/security/verifying-signatures/
1. Get the Qubes master key, preferably from more than one source or
network channel so you can check they are all identical.
https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
2. Get the signing key and iso files, as you already have.
3. Import the two keys:
$ gpg2 --import qubes-master-signing-key.asc
$ gpg2 --import qubes-release-4-signing-key.asc
3a. If you wish, additional verification of the Master key:
$ gpg2 --fingerprint
> pub rsa4096 2010-04-01 [SC]
> 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
> uid [ unknown] Qubes Master Signing Key
Then search for the Qubes master key fingerprint on a Google or a
keyserver, or view the 'verifying-signatures' doc linked above. Then
compare that hexadecimal fingerprint and make sure whats in your shell
matches what you see in the browser.
4. Verify the release key:
$ gpg2 --check-sigs
The output should look like this:
> pub rsa4096 2017-03-06 [SC]
> 5817A43B283DE5A9181A522E1848792F9E2795E9
> uid [ unknown] Qubes OS Release 4 Signing Key
> sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
> sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
You should see the Release 4 key in "uid" and nested under it the Master
key. The Master key line must begin with "sig!" including the
exclamation mark! If the exclamation is not present then the key is bad.
5. Verify the iso file:
$ gpg2 --verify Qubes-R4.0-x86_64.iso.asc Qubes-R4.0-x86_64.iso
You should see a message "Good signature from "Qubes OS Release 4
Signing Key"
Hope this helps!
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
cooloutac
Ya I do it as shown here https://www.qubes-os.org/security/verifying-signatures/
I don't bother with digests, I just download the signature and the key. and the master key. https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
Check the master key is the same as shown on Joanna Rutkowska twitter.
switch to the directory you imported everything. Then import it as shown on docs. gpg --import qubes-master-signing-key.asc
Then import the PGP release key the same way.
Then verifyy the .asc file with the iso as shown on docs. gpg -v --verify ascfile isofile
Then doublecheck the release 4 signature key shown is signed with the qubes master key as shown in docs as the last step with gpg --list-sig
Steven Walker
I just imported the two keys. The version 4 signing key came back with "no ultimately trusted keys found". Is that an issue?
I am running it through budgie ubuntu. I currently have no qubes system installed. Am I doing this right?
I installed gpg2 in ubuntu to run this commands through terminal
Thanks,
Steve
Chris Laprise
>> Chris Laprise, tas...@posteo.net
>> https://github.com/tasket
>> https://twitter.com/ttaskett
>> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
>
> I just imported the two keys. The version 4 signing key came back with "no ultimately trusted keys found". Is that an issue?
Master key (as described). However, the verifying-signatures doc
explains how to edit the Master key to set the trust level... its just
an indicator from you saying "I trust this key" and that should make the
"no ultimately trusted keys found" message go away. I didn't include it
in my howto because it has a bug that can forget the setting.
>
> I am running it through budgie ubuntu. I currently have no qubes system installed. Am I doing this right?
>
> I installed gpg2 in ubuntu to run this commands through terminal
'gpg' and 'gpg2' are the same command. But other distros still include
gpg 1.x so I found its better to always specify gpg2.