A little help on Verifying Signatures
263 views
Skip to first unread message
Patrick Bouldin
Apr 24, 2016, 2:48:16 AM4/24/16
to qubes-devel
Hi,
New to all this stuff.
I downloaded the current .iso image and then began going through the description here: https://www.qubes-os.org/doc/verifying-signatures/#tocAnchor-1-1-2
I did all the stuff in "Importing Qubes Signing Keys"
..and did this..
$ gpg --import ./qubes-master-signing-key.asc
or fetched directly with gpg.
..and this..
$ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
.. all seemed ok, chose "I trust ultimately", then ..
I got down successfully to the verify portion, here is what I entered:
$ gpg -v --verify Qubes-R3.1-x86_64.iso.asc Qubes-R3.1-x86_64.iso
The output is: "Signature made Tue 08 Mar 2016 09:40:56 PM CST using RSA key ID 03FA5082"
and then "Can't check signature: public key not found".
Yet in my Downloads folder both files are there. Any help would be appreciated.
PS - I am doing this in Ubuntu if that makes a difference.
Thank you,
Patrick
Axon
Apr 24, 2016, 3:34:41 AM4/24/16
to Patrick Bouldin, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Patrick Bouldin:
In addition to the Master Signing Key, you also need the Release 3
Signing Key. You can get it like so:
curl https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc |
gpg --import
Each Release Key is signed by the Master Signing Key. Since you've
already trusted the Master Signing Key, the Release Key should already
be trusted, so verification should now work.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXHHb1AAoJEJh4Btx1RPV8YF4P/jMSm5cNQvLp+a15sVAmDDd2
J8S2fp5MypLFJfaiFQv+Uhrx2+5nzvYf+BYgr6NRrvuw4URwg/EEfDZiNqmkbZOh
bDuRd3wzKE19tXhraO9LUW/S74iDZI2/Cfk6CxPuqw+NKrfIWT6Xd7NCS9EAy78Y
QXjymI6tQbX95S8XKZMDjaXDHwObyP5a/e09opXZOQBq4oGjpKH6OKnRPQ97TX/B
uAsj1X5WRk4hpx0FoQmsdpPMxz9PGPUyM10u0gcI58ftg2RExIddblRJ5C/9HwPC
LDbC5q15yj1d0HSEdqwNaKQ/NLCclZnUkxOnD3pVi5HOmap88rOc4XNTsqMIukIN
ToR4jvuirz6Drc+hBFa4Uj77HXBS5GFao7rX4F5ofytAr5+DKpU6UQbzrRt0tJIC
dQ8EWtgTzSKxAjA9CVXlg2wi/+EjqOwnjMoMg9VISZfe1yPVJrpHxUTqEFUdG3hx
rvwaGQcgjFnGNmFjuhyzdOryMy9buKOYPwW18fA+JRmDrXOYt+1Z8/5eubWdkNP4
ogJSeF8TqkhMMWjN1CwjB8vE19ye1FeJGMWZGmRyB6uZN1aEYLM0xVz4xicYZRwh
hd3XTLxmEOEUIIqGxq4F2c4O2hkap3vG1DLN2haoEUOEi8jFwjcy65lbs41t5POr
1bpdvVWOAe2bhusZ5WpH
=68YV
-----END PGP SIGNATURE-----
Hash: SHA512
Patrick Bouldin:
Signing Key. You can get it like so:
curl https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc |
gpg --import
Each Release Key is signed by the Master Signing Key. Since you've
already trusted the Master Signing Key, the Release Key should already
be trusted, so verification should now work.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXHHb1AAoJEJh4Btx1RPV8YF4P/jMSm5cNQvLp+a15sVAmDDd2
J8S2fp5MypLFJfaiFQv+Uhrx2+5nzvYf+BYgr6NRrvuw4URwg/EEfDZiNqmkbZOh
bDuRd3wzKE19tXhraO9LUW/S74iDZI2/Cfk6CxPuqw+NKrfIWT6Xd7NCS9EAy78Y
QXjymI6tQbX95S8XKZMDjaXDHwObyP5a/e09opXZOQBq4oGjpKH6OKnRPQ97TX/B
uAsj1X5WRk4hpx0FoQmsdpPMxz9PGPUyM10u0gcI58ftg2RExIddblRJ5C/9HwPC
LDbC5q15yj1d0HSEdqwNaKQ/NLCclZnUkxOnD3pVi5HOmap88rOc4XNTsqMIukIN
ToR4jvuirz6Drc+hBFa4Uj77HXBS5GFao7rX4F5ofytAr5+DKpU6UQbzrRt0tJIC
dQ8EWtgTzSKxAjA9CVXlg2wi/+EjqOwnjMoMg9VISZfe1yPVJrpHxUTqEFUdG3hx
rvwaGQcgjFnGNmFjuhyzdOryMy9buKOYPwW18fA+JRmDrXOYt+1Z8/5eubWdkNP4
ogJSeF8TqkhMMWjN1CwjB8vE19ye1FeJGMWZGmRyB6uZN1aEYLM0xVz4xicYZRwh
hd3XTLxmEOEUIIqGxq4F2c4O2hkap3vG1DLN2haoEUOEi8jFwjcy65lbs41t5POr
1bpdvVWOAe2bhusZ5WpH
=68YV
-----END PGP SIGNATURE-----
Patrick Bouldin
Apr 24, 2016, 9:54:28 AM4/24/16
to qubes-devel
Thanks that seemed to work. Question though... I see now I was very confused about that step in the documentation, which said:
"For example: Qubes OS Release 2 Signing Key (0x0A40E458) is used for all Release 2 ISO images.
$ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458
gpg: requesting key 0A40E458 from hkp server keys.gnupg.net
gpg: key 0A40E458: public key "Qubes OS Release 2 Signing Key" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)In fact I did download the release 3 signing key but did not do what you suggested, and don't see that on the documentation:
and then I verified the file (did not see that in the documentation).But, I'm guessing it has to do with this statement:
$ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458But how do I get that long number every time the release changes?
Just want to make my own documentation for next time.
Thank you again,
Patrick
Axon
Apr 24, 2016, 10:34:35 AM4/24/16
to Patrick Bouldin, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Patrick Bouldin:
Hash: SHA512
Patrick Bouldin:
> Thanks that seemed to work. Question though... I see now I was very
> confused about that step in the documentation, which said:
>
> "For example: Qubes OS Release 2 Signing Key (0x0A40E458
> <https://keys.qubes-os.org/keys/qubes-release-2-signing-key.asc>)
> confused about that step in the documentation, which said:
>
> "For example: Qubes OS Release 2 Signing Key (0x0A40E458
> is used for all Release 2 ISO images.
>
> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458 gpg:
> [...]
>
> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458 gpg:
>
> In fact I did download the release 3 signing key but did not do
> what you suggested, and don't see that on the documentation: "curl
> https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc
> [...]
> In fact I did download the release 3 signing key but did not do
> what you suggested, and don't see that on the documentation: "curl
> https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc
>
> and then I verified the file (did not see that in the
> documentation).
>
> But, I'm guessing it has to do with this statement:
>
> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458
>
Correct. Both of those commands (`curl [...] | gpg --import` and `gpg
> and then I verified the file (did not see that in the
> documentation).
>
> But, I'm guessing it has to do with this statement:
>
> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458
>
- --recv-keys [...]`) are ways to import the Release Signing Key to your
keyring. (You can also use `gpg --fetch-keys [...]`.)
Once the Release Signing Key is in your keyring, gpg will be able to
verify the ISO.
>
> But how do I get that long number every time the release changes?
>
key's fingerprint). As mentioned above, you don't actually have to
know what it is or even see it. You can simply fetch the new Release
Signing Key (e.g., when Qubes R4.0 is released) from the Qubes website.
The reason you don't have to pay any attention to the Release Signing
Key fingerprint is that every valid Release Signing Key will be signed
by the Master Signing Key. If any key purporting to be a Release
Signing Key isn't validly signed by the Master Signing Key, then it
isn't genuine. (This is why it's *very* important to get the correct
Master Signing Key fingerprint.)
> Just want to make my own documentation for next time.
>
> Thank you again, Patrick
>
iQIcBAEBCgAGBQJXHNkcAAoJEJh4Btx1RPV8oEwP/ArEgEPUkWOjk3KkRTt7FLv+
Ugr8CzeQJbA1hX4ESBBq8fvOkH27NgWLJ5oHvEDO6B5PL8vrBrIIzIupkGoLSPNy
qoRPH44efReZIlISkZqwjOpi7q+UA9nmVc9z+hRkiKTLDtU93BUit0nMOrVB7va2
JwPRDYKmeDZRGU+Pmj9g0VO7NKsgf1tYJyXDqIjU0ShHHY1Vd+LF2uDEUGoKZVmv
pODNC0uLbnfCBAi7LQ9rfzROQnvORfm+a0k6mf2T9I/reWbfWGmNRHEfWfzxI2hx
BbBddc9fd8wrSZn/+WBwlnNhfl7P4NBSlOHBCCByRLP2EK/1sSQVdWVuYJvRLJ+z
3xVwgmOYFGjAjWhUZBK2WhihtNo4yf7joAALufC8wRXWyRQA26cQ84HzSKhydWKd
EwYbBlwaSywHByXzAVNVhrchnBX5JMvE0rQnN6GxlUD3W0wCGDPzM9NPZ2EMKDHh
3XKIAR/3pxld+9q0g0S7N+lb34t3IR2BcKNrWsYPB3RXtk6kEOLToql26hrdtcmZ
W/EaDuPLjVjoHmVZbd+m5x16arzafuB3fbUhPOs6TUTEWQ+N0YG+e3wG8otuFaWw
9Kw7+yDxHxS180Nb7G70rU4ZhXJK/k+h8akHK+JQtTBsro3o4FInp2zPQ/g8z9Ga
VQHZfP9gKS4t747ogKiw
=fmF+
-----END PGP SIGNATURE-----
Message has been deleted
Message has been deleted
Patrick Bouldin
Apr 24, 2016, 10:59:29 AM4/24/16
to qubes-devel, pat...@runthisproject.com, ax...@openmailbox.org
Ok, thanks for that information.
By the way, is it a programmatic/installation requirement to do this whole process? I am in favor of it, don't mistake the question - I'm just trying to put context to this process. In other words can someone simply load the qubes iso onto a disk or is something done to the iso file in this process that allows it to install?
Thanks again,
Patrick
Axon
Apr 24, 2016, 11:16:37 AM4/24/16
to Patrick Bouldin, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Patrick Bouldin:
>
>
> On Sunday, April 24, 2016 at 9:34:35 AM UTC-5, Axon wrote:
>>
> Patrick Bouldin:
>>>> Thanks that seemed to work. Question though... I see now I
>>>> was very confused about that step in the documentation, which
>>>> said:
>>>>
>>>> "For example: Qubes OS Release 2 Signing Key (0x0A40E458
>>>> <https://keys.qubes-os.org/keys/qubes-release-2-signing-key
>>>> .asc>) is used for all Release 2 ISO images.
>>>>
>>>> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458
>>>> gpg: [...]
>>>>
>>>> In fact I did download the release 3 signing key but did not
>>>> do what you suggested, and don't see that on the
>>>> documentation: "curl
>>>> https://keys.qubes-os.org/keys/qubes-release-3-signing-key
>>>> .asc [...]
>>>>
>>>> and then I verified the file (did not see that in the
>>>> documentation).
>>>>
>>>> But, I'm guessing it has to do with this statement:
>>>>
>>>> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458
>>>>
>>>>
>
> Correct. Both of those commands (`curl [...] | gpg --import` and
> `gpg --recv-keys [...]`) are ways to import the Release Signing Key
Hash: SHA512
Patrick Bouldin:
>
>
> On Sunday, April 24, 2016 at 9:34:35 AM UTC-5, Axon wrote:
>>
> Patrick Bouldin:
>>>> Thanks that seemed to work. Question though... I see now I
>>>> was very confused about that step in the documentation, which
>>>> said:
>>>>
>>>> "For example: Qubes OS Release 2 Signing Key (0x0A40E458
>>>> <https://keys.qubes-os.org/keys/qubes-release-2-signing-key
>>>> .asc>) is used for all Release 2 ISO images.
>>>>
>>>> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458
>>>> gpg: [...]
>>>>
>>>> In fact I did download the release 3 signing key but did not
>>>> do what you suggested, and don't see that on the
>>>> documentation: "curl
>>>> https://keys.qubes-os.org/keys/qubes-release-3-signing-key
>>>> .asc [...]
>>>>
>>>> and then I verified the file (did not see that in the
>>>> documentation).
>>>>
>>>> But, I'm guessing it has to do with this statement:
>>>>
>>>> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458
>>>>
>>>>
>
> Correct. Both of those commands (`curl [...] | gpg --import` and
> Ok, thanks for that information.
>
> By the way, is it a programmatic/installation requirement to do
> this whole process? I am in favor of it, don't mistake the question
> - I'm just trying to put context to this process. In other words
> can someone simply load the qubes iso onto a disk or is something
> done to the iso file in this process that allows it to install?
>
> Thanks again, Patrick
>
>
No, the signature verification procedure doesn't alter the ISO in any
>
> By the way, is it a programmatic/installation requirement to do
> this whole process? I am in favor of it, don't mistake the question
> - I'm just trying to put context to this process. In other words
> can someone simply load the qubes iso onto a disk or is something
> done to the iso file in this process that allows it to install?
>
> Thanks again, Patrick
>
>
way. It's just for your own security. Verifying the ISO in this way
ensures that the ISO you downloaded wasn't tampered with or replaced
with a malicious ISO by an attacker.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXHOMnAAoJEJh4Btx1RPV84UMP/j52S69ytFHx3O8LVDKMJN9M
0Ur5T1ivN70D3cqIRkAk0/ZZ9OKOsl6K4D3ivNn+EH+AUQtSop5Ui+yFA/l9tYyl
mHCClBqobQZ1IvoQd5fFPv6W98R2WqaT/V/TzCgHQLdpt7gBEUz9ZPC4k6uQbUWq
fYDjyDp44tYrVGMvJK737/yZSBW5WguvmmtnM6DmgFc1FL2uXVGW34+8q1lB6HZ6
HwU94O1fjd2i2HvnFzx6sv/ro6y6ie9lxWfRQa/xKno8gLbCiqPnR6kPAGAq5H/7
IDgC+gc3gdzkApiaavCvYrA5uaEag4TpzdARlbH6BQPSt1IBRDwnLEbjz1CVZrYz
mO4GH3FKa+fyw2WwkT14sPmqCRDloSEdSYmofJ1skuu/UfFaBV31gsjFmcco4hHd
DdnoreGzAqX251Q/m2B/Gu2+fI5UHvHaVR3Xk2iShfEoTPz6MOGAgYfdxWHzs7bK
QEXxpr+rvP324qPu6fEvpxGtB9epMZiF9wmRqR53V07rgndyUkeOZ4q9x5ReT0HD
mYe+pgdrc9wZ0OKlUvgXjuX9YZz80taD5rTswPbVHGffzfMvspcxAp2gFtpFA177
WYu/OcQ2EpCoH9lmD0OmjQaoWvz1C/un6Ny7EkJ5B0SJ8NUp/+RcbssNzzrDd7zw
KKdDDxNuZV+vmEhOVczt
=cNUQ
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages