-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Patrick Bouldin:
> Thanks that seemed to work. Question though... I see now I was very
> confused about that step in the documentation, which said:
>
> "For example: Qubes OS Release 2 Signing Key (0x0A40E458
> <
https://keys.qubes-os.org/keys/qubes-release-2-signing-key.asc>)
> is used for all Release 2 ISO images.
>
> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458 gpg:
> [...]
> [...]
>
> and then I verified the file (did not see that in the
> documentation).
>
> But, I'm guessing it has to do with this statement:
>
> $ gpg --recv-keys 0x3F01DEF49719158EF86266F80C73B9D40A40E458
>
Correct. Both of those commands (`curl [...] | gpg --import` and `gpg
- --recv-keys [...]`) are ways to import the Release Signing Key to your
keyring. (You can also use `gpg --fetch-keys [...]`.)
Once the Release Signing Key is in your keyring, gpg will be able to
verify the ISO.
>
> But how do I get that long number every time the release changes?
>
The "long number" is just the long-form key ID ("0x" followed by the
key's fingerprint). As mentioned above, you don't actually have to
know what it is or even see it. You can simply fetch the new Release
Signing Key (e.g., when Qubes R4.0 is released) from the Qubes website.
The reason you don't have to pay any attention to the Release Signing
Key fingerprint is that every valid Release Signing Key will be signed
by the Master Signing Key. If any key purporting to be a Release
Signing Key isn't validly signed by the Master Signing Key, then it
isn't genuine. (This is why it's *very* important to get the correct
Master Signing Key fingerprint.)
> Just want to make my own documentation for next time.
>
> Thank you again, Patrick
>
(P.S. - Please try to avoid top posting.)
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXHNkcAAoJEJh4Btx1RPV8oEwP/ArEgEPUkWOjk3KkRTt7FLv+
Ugr8CzeQJbA1hX4ESBBq8fvOkH27NgWLJ5oHvEDO6B5PL8vrBrIIzIupkGoLSPNy
qoRPH44efReZIlISkZqwjOpi7q+UA9nmVc9z+hRkiKTLDtU93BUit0nMOrVB7va2
JwPRDYKmeDZRGU+Pmj9g0VO7NKsgf1tYJyXDqIjU0ShHHY1Vd+LF2uDEUGoKZVmv
pODNC0uLbnfCBAi7LQ9rfzROQnvORfm+a0k6mf2T9I/reWbfWGmNRHEfWfzxI2hx
BbBddc9fd8wrSZn/+WBwlnNhfl7P4NBSlOHBCCByRLP2EK/1sSQVdWVuYJvRLJ+z
3xVwgmOYFGjAjWhUZBK2WhihtNo4yf7joAALufC8wRXWyRQA26cQ84HzSKhydWKd
EwYbBlwaSywHByXzAVNVhrchnBX5JMvE0rQnN6GxlUD3W0wCGDPzM9NPZ2EMKDHh
3XKIAR/3pxld+9q0g0S7N+lb34t3IR2BcKNrWsYPB3RXtk6kEOLToql26hrdtcmZ
W/EaDuPLjVjoHmVZbd+m5x16arzafuB3fbUhPOs6TUTEWQ+N0YG+e3wG8otuFaWw
9Kw7+yDxHxS180Nb7G70rU4ZhXJK/k+h8akHK+JQtTBsro3o4FInp2zPQ/g8z9Ga
VQHZfP9gKS4t747ogKiw
=fmF+
-----END PGP SIGNATURE-----