Verify Qubes OS ISO on Windows 10

[Maria Losdren]

Hello guys,

i have big problems verifying the Qubes Iso on Windows. I read several tutorials, but nothing works.

Actually i am running into this problem:

When i navigate into the folder where the qubes iso and signature files are placed in, I try to execute this command through windows cmd:

$ gpg2 --import qubes-master-signing-key.asc

Evertime it tell me : "The command "$" is either misspelled or could not be found."

Can you tell me why this error gets up?

I am fully new to qubes. 

[unman]

In Linux, it's common to show what will appear on screen when giving
instructions, and for most users, the prompt will be "$"

Dont include the "$" in your command - just type from "gpg2" onward.
(I assume you have some windows version of gpg2 installed.)

Welcome to Qubes.
If you hit other problems, ask away.

[Maria Losdren]

Yes, thats correct. I am using gpg4win.

When i try just using "gpg2" without "$", i still get the same error.

[unman]

The convention on the list is to post at the bottom of the message, not
the top.

I doubt you have "the same error", since you are no longer typing "$".
What is the error?

[Maria Losdren]

C:\Users\Administrator\Desktop\qubes>gpg2 --import qubes-master-signing-key.asc

Der Befehl "gpg2" ist entweder falsch geschrieben oder

konnte nicht gefunden werden.

[unman]

> --

The convention on the list is to post at the bottom of the message, not

the top. Please take a few seconds to scroll down and save other
readers pain.

You are typing in a command using a program that is not installed on
your windows machine.

I've looked at the gpg4win documentation (perhaps you should do so
too). It seems you should have an entry "Decrypt and verify" in your
Windows explorer menu, and that will enable you to verify the signature.

[Maria Losdren]

Yes but there is no good documentation on Qubes how to do this in the windows gui.

I am a noob and i can only use step by step tutorials. 

[Lorenzo Lamas]

On Monday, January 27, 2020 at 1:32:53 PM UTC+1, Maria Losdren wrote:

Yes but there is no good documentation on Qubes how to do this in the windows gui.

I am a noob and i can only use step by step tutorials. 

The command line works differently on Windows. You cannot just use a program like on Linux, but you have to go to the exe file. So most likely:
CD C:\Program Files (x86)\gnupg\bin

then:
gpg2.exe --import qubes-master-signing-key.asc

(or any other command.) Note that if you copy and paste this it will not work, you also need to add the file path, e.g.:
gpg2.exe --import C:\Users\*your username\Downloads\qubes-master-signing-key.asc

[unman]

Does gpg4win have gpg2.exe?
In any case, the gpg4win application seems to be a better route for
someone who isnt used to linux or the command line. And, from what I can
see it's also incorporated in to windows context menus.

[Lorenzo Lamas]

Ah you're correct, it is gpg.exe, there is no gpg2.exe

The GUI is easier, but has it's own complexities. There are two different applications, GPA and Kleopatra, and if I recall correctly you also need to sign the Qubes key yourself otherwise you will get an error, so it also involves creating your own keypair.

@Maria
Try this. Open GPA, import your downloaded master key. Check if the fingerprint is correct. Right click set owner trust and set it to ultimate. Then download the release signing key and also import it. Download the Qubes iso and signature. Right click the signature and go to More GpgEx options, and click Verify. If the verify gives you an error, try command line:
cd C:\Program Files (x86)\gnupg\bin

Then use gpg to verify(change path to correct download folder, you can right-click the signature file, click properties, and copy and paste the file path):

gpg.exe --verify C:\Users\*your username*\Downloads\Qubes-R4.0.3-x86_64.iso.asc