Why should I verify digests, if I already checked PGP signatures?
58 views
Skip to first unread message
Arqwer
Oct 1, 2016, 9:07:32 AM10/1/16
to qubes-users
Documentation says to check digests after I verified an .iso with gpg. Why? Doesn't correct PGP signature mean, that .iso is good and came from Qubes developers?
Chris Laprise
Oct 1, 2016, 12:36:36 PM10/1/16
to Arqwer, qubes-users
On 10/01/2016 09:07 AM, Arqwer wrote:
> Documentation says to check digests after I verified an .iso with gpg. Why? Doesn't correct PGP signature mean, that .iso is good and came from Qubes developers?
>
Its really an alternative to gpg verification, not an additional step.
> Documentation says to check digests after I verified an .iso with gpg. Why? Doesn't correct PGP signature mean, that .iso is good and came from Qubes developers?
>
The doc doesn't mention that.
Chris
Andrew David Wong
Oct 1, 2016, 3:43:51 PM10/1/16
to Chris Laprise, Arqwer, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Added. Thanks!
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJX8BHhAAoJENtN07w5UDAwo4wP/0xpjBLtFepW8Q4dNgESFQTM
ysz/60uomSlrUFkLkR+4c1r9kDIZx3HyGTGLBoHpBk3+Vdz34nwdcLNkj24GX39q
6cEk6jSpaYbWQPIU70jhWaQZfoVbAX2zgL7H1/Ga1VH6zWmQCY+KVCI0LBNWl9vq
jJsJfmuMsMBX5brWckvPGQA+KrNSElhEbIJ08hmhPkTKAq1GKe5+moMK2+pbSYqv
N1EthH4D9q/43dpsY2pPheNKHOQ7x3Tk/RnuiijbyUvIDrnigbC770lXjPZpPXWU
Vep9YSidTT0wFSgKKI56s1zzKRkrxkYnI3NKpfr4itTI+Bf6B+viQtEZ+zpE7lrG
Qo8zF+pTkdU6DoxQbpV8ywSPfjMnMKRktXiVUWUuA6vwWSqPxwXXPCJ4pb9yAx/y
eaYxqKfZ4jrPIfFzVF3QS3hHWIqHeJ/MmJFNoSiZSDIMgb5GF1au/QBWWUZ/Q6L2
+Fm5OJdjHwZaQJXf0WEU/1TcNUO8IWbsF4EZ5iF4tV0jzLeFCaPFh/aW1xPL/meY
I6az7OfhUxQ3ny0yxfC5LlgEsxFJP8gfP1emePkF10lVEXutJ9TPjRlI2Lqshh03
49YkkevusVONCsq/kDnOs26boI5zLL4TAkyhGyAUbHaivaXbpeVd0L5F6q2MczDj
gLXXxIWhqCzCAYyT9ox6
=4BEZ
-----END PGP SIGNATURE-----
Hash: SHA512
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJX8BHhAAoJENtN07w5UDAwo4wP/0xpjBLtFepW8Q4dNgESFQTM
ysz/60uomSlrUFkLkR+4c1r9kDIZx3HyGTGLBoHpBk3+Vdz34nwdcLNkj24GX39q
6cEk6jSpaYbWQPIU70jhWaQZfoVbAX2zgL7H1/Ga1VH6zWmQCY+KVCI0LBNWl9vq
jJsJfmuMsMBX5brWckvPGQA+KrNSElhEbIJ08hmhPkTKAq1GKe5+moMK2+pbSYqv
N1EthH4D9q/43dpsY2pPheNKHOQ7x3Tk/RnuiijbyUvIDrnigbC770lXjPZpPXWU
Vep9YSidTT0wFSgKKI56s1zzKRkrxkYnI3NKpfr4itTI+Bf6B+viQtEZ+zpE7lrG
Qo8zF+pTkdU6DoxQbpV8ywSPfjMnMKRktXiVUWUuA6vwWSqPxwXXPCJ4pb9yAx/y
eaYxqKfZ4jrPIfFzVF3QS3hHWIqHeJ/MmJFNoSiZSDIMgb5GF1au/QBWWUZ/Q6L2
+Fm5OJdjHwZaQJXf0WEU/1TcNUO8IWbsF4EZ5iF4tV0jzLeFCaPFh/aW1xPL/meY
I6az7OfhUxQ3ny0yxfC5LlgEsxFJP8gfP1emePkF10lVEXutJ9TPjRlI2Lqshh03
49YkkevusVONCsq/kDnOs26boI5zLL4TAkyhGyAUbHaivaXbpeVd0L5F6q2MczDj
gLXXxIWhqCzCAYyT9ox6
=4BEZ
-----END PGP SIGNATURE-----
jkitt
Oct 3, 2016, 7:13:03 PM10/3/16
to qubes-users
On Saturday, 1 October 2016 14:07:32 UTC+1, Arqwer wrote:
> Documentation says to check digests after I verified an .iso with gpg. Why? Doesn't correct PGP signature mean, that .iso is good and came from Qubes developers?
> Documentation says to check digests after I verified an .iso with gpg. Why? Doesn't correct PGP signature mean, that .iso is good and came from Qubes developers?
Yes it does. Normally distros sign the digest. Qubes signs the iso.
yaqu
Oct 4, 2016, 5:06:49 AM10/4/16
to qubes...@googlegroups.com
On Mon, 3 Oct 2016 16:13:03 -0700 (PDT), jkitt <jazzki...@gmail.com>
wrote:
To be precise: Qubes signs both, the iso and the digest.
--
yaqu
wrote:
--
yaqu
Reply all
Reply to author
Forward
0 new messages