Verifying Install Files: Confused About How to Verify R3 ISO file

14 views
Skip to first unread message

Kyle Breneman

unread,
Dec 20, 2017, 10:44:46 PM12/20/17
to qubes...@googlegroups.com
I'm new to verifying keys and signatures.  I downloaded the Qubes R3 ISO file and accompanying signature file, as well as the Qubes Master Signing Key.  I verified and trusted the Qubes Master Signing Key.  I am stuck on how to verify the ISO file using the accompanying key.  GPG tells me that it cannot check the signature as there is no public key.  See attached screenshots.  What am I doing wrong?  Please help!

Kyle
Capture.PNG

Chris Laprise

unread,
Dec 20, 2017, 11:00:49 PM12/20/17
to Kyle Breneman, qubes...@googlegroups.com
> --
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com
> <mailto:qubes-users...@googlegroups.com>.
> To post to this group, send email to qubes...@googlegroups.com
> <mailto:qubes...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/CAOtZr%3DEPevaHZ%2BJsumX0hcPpEpMVu0vbu7vSmvoHHME5YpeTJQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/qubes-users/CAOtZr%3DEPevaHZ%2BJsumX0hcPpEpMVu0vbu7vSmvoHHME5YpeTJQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

The Master key just verifies the release keys (one for each Qubes
version). You need to import the v3 release key also.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

Kyle Breneman

unread,
Dec 22, 2017, 3:53:06 PM12/22/17
to Chris Laprise, qubes...@googlegroups.com
On Wed, Dec 20, 2017 at 11:00 PM, Chris Laprise <tas...@posteo.net> wrote:
On 12/20/2017 10:44 PM, Kyle Breneman wrote:
I'm new to verifying keys and signatures.  I downloaded the Qubes R3 ISO file and accompanying signature file, as well as the Qubes Master Signing Key.  I verified and trusted the Qubes Master Signing Key.  I am stuck on how to verify the ISO file using the accompanying key.  GPG tells me that it cannot check the signature as there is no public key.  See attached screenshots.  What am I doing wrong?  Please help!

Kyle

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com <mailto:qubes-users+unsubscribe...@googlegroups.com>.
To post to this group, send email to qubes...@googlegroups.com <mailto:qubes-users@googlegroups.com>.

The Master key just verifies the release keys (one for each Qubes version). You need to import the v3 release key also.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

​Thanks, Chris!  ​I got one step further: successfully verifying the ISO signature with the Qubes OS Release 3 Signing Key.  Should I still use the Qubes Master Signing Key to verify that my Qubes OS Release 3 Signing Key is good?  If so, how to I use gpg4win to do this?

Kyle
success.PNG

Matteo

unread,
Dec 24, 2017, 3:13:22 AM12/24/17
to qubes...@googlegroups.com
> ​Thanks, Chris!  ​I got one step further: successfully verifying the ISO
> signature with the Qubes OS Release 3 Signing Key.  Should I still use
> the Qubes Master Signing Key to verify that my Qubes OS Release 3
> Signing Key is good?  If so, how to I use gpg4win to do this?
>
> Kyle

yes, you should check it.

Qubes R3 key should be signed with the masterkey.
this means that:
1-if you checked that the master key is original
2-and you see that R3 key is signed (certified) by the masterkey

it means that also the R3 key is original without any other check
(*because you trust the team behind qubes)

to do this check using gpg4win you can:
-from kleopatra: double click on the key, click certifications, and
check that "qubes master key" is listed WITH THE CORRECT FINGERPRINT
(the name is useless as anyone can generate a key called in that way,
but noone can generate it with the correct fingerprint)

-from gpa: click detailed than signatures; check that the master key is
listed.

the final question is how do you know that the master key is the
original one?
you can check these websites, all of them has a copy of the masterkey
and all of them are https.
here you can find the fingerprint:
https://github.com/rootkovska/rootkovska.github.io/tree/master/keys
https://keys.qubes-os.org/keys/
https://www.youtube.com/watch?v=S0TVw7U3MkE (near the end 46:51)
https://hyperelliptic.org/PSC/slides/psc2015_qubesos.pdf (last slide)
https://twitter.com/rootkovska/status/496976187491876864

all this might seem complex but in the end it means:
-get masterkey and check that is original (get only once, but you can
verify that fingerprint on your pc match the one on website many times
in different moments)
-get (only once) the r3/4 key and check that is signed (certified) by
the masterkey, this means more or less: "me the masterkey, say that that
this gpg key is the only real r3/4 key"
-get the signature and the signed file and verify the signature: it
should say "good" and should also say "signed using [fingerprint of]
r3/r4 key" (the one that we trust because above points)

i hope that i have not confused you more than you were before :)
infoKeyGPA.png
infoKeyKleo.png
Reply all
Reply to author
Forward
0 new messages