Re: [qubes-devel] Unable to Verify Iso - public key not found
Joanna Rutkowska
> Hi,
>
> I'd like to try Qubes, but unfortunately I am failing at the verification
> process, I followed http://wiki.qubes-os.org/trac/wiki/VerifyingSignatures
> here is all my terminal in- and output:
> (after some failed attempts)
> Maybe someone can help me out, where I missed something?
>
>
> ubuntu@ubuntu:/media/D6B86E3AB86E18EF$ gpg --recv-keys 0x36879494
> gpg: requesting key 36879494 from hkp server keys.gnupg.net
> gpg: key 36879494: "Qubes Master Signing Key" not changed
> gpg: Total number processed: 1
> gpg: unchanged: 1
> ubuntu@ubuntu:/media/D6B86E3AB86E18EF$ gpg --edit-key 0x36879494
> gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
>
> pub 4096R/36879494 created: 2010-04-01 expires: never usage: SC
> trust: ultimate validity: ultimate
> [ultimate] (1). Qubes Master Signing Key
>
> gpg> trust
> pub 4096R/36879494 created: 2010-04-01 expires: never usage: SC
> trust: ultimate validity: ultimate
> [ultimate] (1). Qubes Master Signing Key
>
> Please decide how far you trust this user to correctly verify other users'
> keys
> (by looking at passports, checking fingerprints from different sources,
> etc.)
>
> 1 = I don't know or won't say
> 2 = I do NOT trust
> 3 = I trust marginally
> 4 = I trust fully
> 5 = I trust ultimately
> m = back to the main menu
>
> Your decision? 5
> Do you really want to set this key to ultimate trust? (y/N) y
>
> pub 4096R/36879494 created: 2010-04-01 expires: never usage: SC
> trust: ultimate validity: ultimate
> [ultimate] (1). Qubes Master Signing Key
>
> gpg> q
> ubuntu@ubuntu:/media/D6B86E3AB86E18EF$ gpg --recv-keys AC1BF9B3
> gpg: requesting key AC1BF9B3 from hkp server keys.gnupg.net
> gpg: key AC1BF9B3: "Qubes OS Release 1 Signing Key" not changed
> gpg: Total number processed: 1
> gpg: unchanged: 1
> ubuntu@ubuntu:/media/D6B86E3AB86E18EF$ gpg -v
> Qubes-R1-x86_64-DVD.iso.ascgpg: armor header: Version: GnuPG v1.4.12
> (GNU/Linux)
> gpg: assuming signed data in `Qubes-R1-x86_64-DVD.iso'
> gpg: Signature made Wed 29 Aug 2012 11:13:53 AM UTC using RSA key ID
> 211093A7
> gpg: Can't check signature: public key not found
>
As can be read at the end of this output above, the ISO you're veryfing
has been signed with key ID 211093A7, not AC1BF9B3, which was used in
the wiki just as an example.
So you want to import the 211093A7 key instead.
Ok, so, a tricky question to check your understanding -- so what sense
does it all make, if perhaps the attacker can sign the ISO with yet
another key and make you import yet another key?
joanna.
Joanna Rutkowska
> Hi Joanna,
>
> thanks for the quick answer.
>
>>
>> Ok, so, a tricky question to check your understanding -- so what sense
>> does it all make, if perhaps the attacker can sign the ISO with yet
>>
> another key and make you import yet another key?
>>
>
> private Key for matching the key to the .asc file?
>
No, anybody can generate a new key pair and sign whatever file with it.
See e.g. gpg --gen-key.
And here's where the master key plays a crucial role -- all other Qubes'
keys are signed by the master key. So, once you imported and set trust
to the master key (as described in the wiki), other Qubes keys should be
automatically trusted for verification (one should see no warning when
verifying isos).
> But I have not much knowledge about signing (though I know a little bit
> about encrypting in general)
> So I am not sure what I now should make of my new output with the correct
> key?
>
Sadly, a person who doesn't really understand how signing works, and gpg
specifically, can (probably) be always easily manipulated... :/
E.g. in the output of gpg commands you attached in your previous email,
I can see that you never bothered to actually display the fingerprint of
the master key you imported... So, how could you know that the master
you received (from some keyserver) was indeed genuine?
> As can be read at the end of this output above, the ISO you're veryfing
>> has been signed with key ID 211093A7, not AC1BF9B3, which was used in
>> the wiki just as an example.
>>
>> So you want to import the 211093A7 key instead.
>>
>
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
>
> I suppose the warning is not supposed to show up?
>
Correct, the key you imported (211093A7), if indeed a correct one
(surely there could be a fake key that presents itself as 211093A7),
should cleanly verify the ISO (assuming the ISO is also correct, of
course). This is because the real key should be signed by the master key
(which you should have verified and decided to trust for other keys
verification).
Perhaps, due to some error, the key you're receiving from the gpg server
is not signed by our master key. You can also try to get this key from
our key server:
http://keys.qubes-os.org/keys/
Again, note this is an unsecure HTTP -- that's ok, because if the key
you download is somehow incorrect, then the master key will not certify
it, and you should get a warning or error during verification.
joanna.
And, BTW, from the dump you sent, I see you're attempting to perform
this verification on some Ubuntu system -- just out of curiosity, how
have you performed verification of the Ubuntu installation ISO before
you installed your Ubuntu system? ;)
Alex Dubois
Is what I did... Any addition?
sunny.c...@gmail.com
gpg -v Qubes-R2-x86_64-DVD.iso.asc
gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in `Qubes-R2-x86_64-DVD.iso'
gpg: Signature made Tue 23 Sep 2014 09:38:40 BST using RSA key ID 0A40E458
gpg: Can't check signature: public key not found
gpg: requesting key 211093A7 from hkp server keys.gnupg.net
gpg: key 211093A7: "Qubes OS Release 1 Signing Key" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Can you help my with the correction I'm needing ?
Dre :)
Hakisho Nukama
please post your reply at the end of the quote, if you're
sending to a mailing list.
Thanks!
What signing key do I need to verify an ISO for Release 2?
You need the Qubes OS Release *2* Signing Key.
# Get masterkey
gpg --recv-keys 0x36879494
# Set trust for masterkey
gpg --edit-key 0x36879494
and then: trust, 5, y, q
# Get signing key for Release *2*:
gpg --recv-keys 0x0A40E458
# Check with the provided .asc
gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in `Qubes-R2-x86_64-DVD.iso'
gpg: using PGP trust model
gpg: Good signature from "Qubes OS Release 2 Signing Key"
gpg: binary signature, digest algorithm SHA1
Best Regards,
Hakisho Nukama
kare.m....@gmail.com
Kares-MacBook-Pro:Downloads karejonsson$ ls
GPG_Suite-2015.09.dmg Qubes-R3.0-x86_64-DVD.iso.DIGESTS Qubes-R3.0-x86_64-DVD.iso.download qubes-secpack
Qubes-R3.0-x86_64-DVD.iso Qubes-R3.0-x86_64-DVD.iso.asc qubes-release-3-signing-key.asc
Kares-MacBook-Pro:Downloads karejonsson$ md5 Qubes-R3.0-x86_64-DVD.iso
MD5 (Qubes-R3.0-x86_64-DVD.iso) = f07fc791354b5ae00ebc0b9db60bdc69
Kares-MacBook-Pro:Downloads karejonsson$ openssl sha1 Qubes-R3.0-x86_64-DVD.iso
SHA1(Qubes-R3.0-x86_64-DVD.iso)= 1570a0f0efe685078316ba73e04a442445780bef
Kares-MacBook-Pro:Downloads karejonsson$ gpg -v Qubes-R3.0-x86_64-DVD.iso.asc
Version: GnuPG v1
gpg: armor header:
gpg: assuming signed data in 'Qubes-R3.0-x86_64-DVD.iso'
gpg: Signature made Tis 29 Sep 10:41:17 2015 CEST using RSA key ID 03FA5082
gpg: using PGP trust model
gpg: BAD signature from "Qubes OS Release 3 Signing Key" [full]
gpg: binary signature, digest algorithm SHA256
Kares-MacBook-Pro:Downloads karejonsson$ gpg --list-key
/Users/karejonsson/.gnupg/pubring.gpg
-------------------------------------
pub 2048D/00D026C4 2010-08-19 [expires: 2018-08-19]
uid [ultimate] GPGTools Team <te...@gpgtools.org>
uid [ultimate] GPGMail Project Team (Official OpenPGP Key) <gpgmai...@lists.gpgmail.org>
uid [ultimate] GPGTools Project Team (Official OpenPGP Key) <gpgtoo...@lists.gpgtools.org>
uid [ultimate] [jpeg image of size 5871]
sub 2048g/DBCBE671 2010-08-19 [expires: 2018-08-19]
sub 4096R/0D9E43F5 2014-04-08 [expires: 2024-01-02]
pub 4096R/073C47E2 2015-12-28 [expires: 2019-12-28]
uid [ultimate] Kåre Jonsson <kare.m....@gmail.com>
sub 4096R/A0AF3E6D 2015-12-28 [expires: 2019-12-28]
pub 4096R/03FA5082 2014-11-19
uid [ full ] Qubes OS Release 3 Signing Key
pub 4096R/36879494 2010-04-01
uid [ultimate] Qubes Master Signing Key
pub 4096R/C37BB66B 2010-04-01 [expired: 2011-04-01]
uid [ expired] Joanna Rutkowska (Qubes OS signing key) <joa...@invisiblethingslab.com>
pub 4096R/1E30A75D 2011-03-21 [expired: 2012-03-20]
uid [ expired] Joanna Rutkowska (Qubes OS signing key) <joa...@invisiblethingslab.com>
pub 4096R/74EADABC 2011-04-01 [expired: 2012-03-31]
uid [ expired] Joanna Rutkowska (Qubes OS signing key) <joa...@invisiblethingslab.com>
pub 4096R/65EF29CA 2012-03-31 [expired: 2013-03-31]
uid [ expired] Joanna Rutkowska (Qubes OS Signing Key) <joa...@invisiblethingslab.com>
pub 4096R/34898310 2013-04-23
uid [ full ] Joanna Rutkowska (Qubes OS Signing Key) <joa...@invisiblethingslab.com>
pub 4096R/B298547C 2011-01-24 [expired: 2012-03-05]
uid [ expired] Marek Marczykowski (Qubes OS signing key) <marm...@mimuw.edu.pl>
uid [ expired] Marek Marczykowski <marm...@mimuw.edu.pl>
pub 4096R/AB5EEF90 2012-03-06 [expired: 2013-03-06]
uid [ expired] Marek Marczykowski (Qubes OS signing key) <marm...@invisiblethingslab.com>
pub 4096R/A603BCB6 2013-03-06 [expired: 2014-03-06]
uid [ expired] Marek Marczykowski (Qubes OS signing key) <marm...@invisiblethingslab.com>
pub 4096R/42CFA724 2014-03-05
uid [ full ] Marek Marczykowski-Górecki (Qubes OS signing key) <marm...@invisiblethingslab.com>
pub 4096R/4C85173A 2013-09-05
uid [ full ] Rafał Wojdyła (Qubes OS signing key) <om...@invisiblethingslab.com>
uid [ full ] Rafał Wojdyła (Qubes OS signing key) <om...@omeg.pl>
pub 4096R/15CE40BF 2014-10-03
uid [ full ] Wojciech Zygmunt Porczyk (Qubes OS signing key) <wo...@invisiblethingslab.com>
pub 4096R/2A019A17 2015-02-25
uid [ unknown] Axon (Qubes Documentation Signing Key)
pub 4096R/CA74A5C3 2015-04-23
uid [ unknown] Joanna Rutkowska (Qubes Documentation Signing Key) <joa...@invisiblethingslab.com>
pub 4096R/9684938A 2015-04-23
uid [ unknown] Marek Marczykowski-Górecki (Qubes Documentation Signing Key) <marm...@invisiblethingslab.com>
pub 4096R/09DAFB92 2015-03-05
uid [ unknown] Hakisho Nukama (Qubes Documentation Signing Key)
sub 4096R/3C618D64 2015-03-05
sub 4096R/ACE2CBF7 2015-03-05
sub 4096R/81C48321 2015-03-05 [expires: 2015-12-31]
pub 4096R/3C677AEC 2015-09-23
uid [ unknown] Wojtek Porczyk (Qubes Documentation Signing Key) <wo...@invisiblethingslab.com>
pub 4096R/E9720C4D 2015-03-05
uid [ unknown] Zrubi (Qubes Documentation Signing Key)
sub 4096R/929D0EA8 2015-03-05
sub 4096R/6E087C23 2015-03-05
pub 4096R/211093A7 2012-03-31
uid [ full ] Qubes OS Release 1 Signing Key
pub 4096R/92C7B3DC 2015-01-05
uid [ full ] Joanna Rutkowska (Qubes Security Pack Signing Key) <joa...@invisiblethingslab.com>
pub 4096R/1830E06A 2015-01-05
uid [ full ] Marek Marczykowski-Górecki (Qubes security pack) <marm...@invisiblethingslab.com>
pub 4096R/3F48CB21 2012-11-15
uid [ full ] Qubes OS Security Team <secu...@qubes-os.org>
sub 4096R/30498E2A 2012-11-15
Kares-MacBook-Pro:Downloads karejonsson$
Marek Marczykowski-Górecki
Hash: SHA256
On Tue, Dec 29, 2015 at 02:06:39AM -0800, kare.m....@gmail.com wrote:
> This must mena something
>
> Kares-MacBook-Pro:Downloads karejonsson$ ls
>
> GPG_Suite-2015.09.dmg Qubes-R3.0-x86_64-DVD.iso.DIGESTS
> Qubes-R3.0-x86_64-DVD.iso.download qubes-secpack
>
> Qubes-R3.0-x86_64-DVD.iso Qubes-R3.0-x86_64-DVD.iso.asc
> qubes-release-3-signing-key.asc
>
> Kares-MacBook-Pro:Downloads karejonsson$ md5 Qubes-R3.0-x86_64-DVD.iso
>
> MD5 (Qubes-R3.0-x86_64-DVD.iso) = f07fc791354b5ae00ebc0b9db60bdc69
>
> Kares-MacBook-Pro:Downloads karejonsson$ openssl sha1
> Qubes-R3.0-x86_64-DVD.iso
>
> SHA1(Qubes-R3.0-x86_64-DVD.iso)= 1570a0f0efe685078316ba73e04a442445780bef
> Kares-MacBook-Pro:Downloads karejonsson$ gpg -v
> Qubes-R3.0-x86_64-DVD.iso.asc
>
> Version: GnuPG v1
>
> gpg: armor header:
>
> gpg: assuming signed data in 'Qubes-R3.0-x86_64-DVD.iso'
>
> gpg: Signature made Tis 29 Sep 10:41:17 2015 CEST using RSA key ID 03FA5082
>
> gpg: using PGP trust model
>
> gpg: BAD signature from "Qubes OS Release 3 Signing Key" [full]
> gpg: binary signature, digest algorithm SHA256
>
> Kares-MacBook-Pro:Downloads karejonsson$ gpg --list-key
> I do notice that the key used (defaults to 03FA5082) is not the Release 3
> signing key (36879494).
keys. 03FA5082 is Release 3 signing key, used to sign packages and ISO
images.
> It puzzles me that I have read so much now when
> attempting to verify the ISO without reading of how to use an explicit key.
>
> Further help is greatly appreciated. I have done my stick-installation but
> I want this done before I try to boot from it.
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWgpKUAAoJENuP0xzK19cspdkH/jIAbTZ9EbVMtiJhyV/V45qF
5IYbrVfhliiLldHOKQPj8jhU4oAK1hLOdvVlv2V3mgILdW6e3TZdNJRz3/7tIdkS
gfObTG58DZX11agsR5WBIAYRTBzdRG0SAuehIdhoRRdXhvz71zY5udMYNHSf06hS
toYv0GHJIWwn40Y7X+o5fWdBrSWkrSvwOULXARroLbFvSDTRt/NVBBr+sOJPyRdX
RJM9XPxPntVe+DlNPTlgdpWDHhL1YYZ3qPFTo+pqgllDc4GWt493Ylah4Z2BSuPz
e22ROIWLn4a4uFiOF6GjPuyOXjMZtTR0uYv2TL10FMxXTY/rl6j7ue+uTgj//nE=
=AU+Z
-----END PGP SIGNATURE-----
dan.m...@gmail.com
$ gpg -v --verify Qubes-R2-x86_64-DVD.iso.ascgpg -v --verify Qubes-R2-x86_64-DVD.iso.asc Qubes-R2-x86_64-DVD.iso
Axon
Hash: SHA512
dan.m...@gmail.com:
>
> https://www.qubes-os.org/doc/verifying-signatures/
>
> There is an omission here:
>
> $ gpg -v --verify Qubes-R2-x86_64-DVD.iso.asc
>
>
> Should be
>
> gpg -v --verify Qubes-R2-x86_64-DVD.iso.asc
> Qubes-R2-x86_64-DVD.iso
>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWldMDAAoJEJh4Btx1RPV8DL0QAM+Wm0ySUCoD5eSaBHlLx+ID
zarwItwaKQeXL3+4IJxYUmoBVQtcPWUDZhPzL2ekYOT0lsDIfYxE+KurdZcALLcz
EFw3OH8hCsthZ66YAgRpOVktELdSGYzIXHT835iZLHOQ9ryxJrHRtmD1L5vhvB42
Wrf7z7Twl8ljOn4Ssl8gSC6fF5pCmTKq/g9UMgW/q26FUfIvBCOdEnMMFi6MFxsx
Ul0uq52+PyeAz5b57WQqUZZu/SXkFw7tzl3+eScHiuoBabwDOORRMoAlyVUidEDm
ZPKpg8xvhBu+l0tTKSs8usUvL18hkja+HgUBgAN6UP4WycJ3U7atA47DQgNS5jxV
LV2EXJ9n86bGRlSNA0nxFEYQK6KhDN/6t+T8HcbHfVYWMF32iEsm38Llej9/tp49
cMCsVH05JPf5dE7upabecGKmM4J81Sl75pZYMCwiQoAGumaPIklLj1e1iiwAxn0j
J3sudc+1kYfNTAjeH9rt5CR9XYr/bEDnt0kmH71oozMcNpz0QK5QCdYJG7yZG43p
qCQO2dk8Unf3vrOLjTujHGyZZQCI6QJxSKB+E0OxVOL2mMk3U6o3gwaLqeS+r2Kt
xwvyY3EBr1+a+uTpTUgBLi4r05ACDGtwx6j+bWFfRzUbxIDQ3pG1fLbGZgTaZtin
SX5TM3BsjW1wtz6d6JPR
=F9bT
-----END PGP SIGNATURE-----
Qubed One
>> Hi,
>
>> https://www.qubes-os.org/doc/verifying-signatures/
>
>> There is an omission here:
>
>> $ gpg -v --verify Qubes-R2-x86_64-DVD.iso.asc
>
>
>> Should be
>
>> gpg -v --verify Qubes-R2-x86_64-DVD.iso.asc
>> Qubes-R2-x86_64-DVD.iso
>
>
> Doesn't gpg automatically assume the second argument?
>
Axon
Hash: SHA512
change the documentation. (dan.mi.sun: if you still think it should be
changed, please explain why.)
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl6FLAAoJEJh4Btx1RPV8apsQAIQdybJ9Z0/a2ehZIEH98u8c
oA/83jM78wmEL2mXnFLQqqAkgcNHCFqIo2TcMTDk+vYk/Sl0mmV+TyKdfxBRNa/r
NC+8Cglf34EFSq1m4aKiDcPZeVOYGiSRDF2xTXNpuYhBlIBtJYRzshmNqRQ5JgP+
bmUCJRR1oHanUs/IxYLEtCzVuGGpOKYDtoSS5XVxaCOn3VwG+CoZqOWRGt/gh47x
SeBNKBdZKSXFrmOsXG0vhU1Yrzw3vzBxweah7UhCs8YwWXsxGVmfZSPJ2vbEEMWw
s+I2MeU/S1jgK2EmuUxyIYLEADqWzKKN/H7bm6o6DV50nRMk4wFMdCsUyGxkbkHc
g9n+7C1M9CxdxWCI4IH+ce+sD08/CVDTRv6H128tImPds3Yl1Y78mb5TcyBGYH7w
quvIpdlW2tVlysVAsOiHsroPt7TCXnqO/19CE1BR0epxSMUaHbyGb0iQyy6SFHD2
WJ2BKVcYatv5FPanKdAkPuhKuWEwm4+rUXPzV+5yLUBPMoWSs8Gs3/IZo9bI+5Qh
lhZHNy4C/GF7eJE9HuJAVhzcTCLTsbcWrHIJgn0+PmTFzqx6zeYvswTLbyzGO6tK
VoCdQuxhraHfLmFJO+LtEaBVdwPAEUUjagOvjakDnOIZ4ffopqjw6woCDVLtZTTy
xBBlCpFFArdXznvks8QK
=fQZX
-----END PGP SIGNATURE-----
q...@openmailbox.org
>> Axon:
>>> dan.m...@gmail.com:
>>>> Hi,
>>>
>>>> https://www.qubes-os.org/doc/verifying-signatures/
>>>
>>>> There is an omission here:
>>>
>>>> $ gpg -v --verify Qubes-R2-x86_64-DVD.iso.asc
>>>
>>>> Should be
>>>
>>>> gpg -v --verify Qubes-R2-x86_64-DVD.iso.asc
>>>> Qubes-R2-x86_64-DVD.iso
>>>
>>> Doesn't gpg automatically assume the second argument?
>>
>> Yes it does.
>
> Ok, that's what I thought. In that case, I don't see any reason to
> change the documentation. (dan.mi.sun: if you still think it should be
> changed, please explain why.)
gpg assumes to find the corresponding file to a detached signature by
stripping off the .asc or .sig. If the .asc file however is a signed
file instead of a detached signature, gpg doesn't even look for a second
file and only verifies the signature in the .asc file.
If we assume that the file hoster of the iso might be malicious (that's
why we want to verify the iso) we better be suspicious about the
signature file as well.
So the safest way is to always provide the file name of the iso
explicitly.
HW42
Hash: SHA512
> Note: If the option --batch is not used, gpg may assume that a single
> argument is a file with a detached signature and it will try to find a
> matching data file by stripping certain suffixes. Using this historical
> feature to verify a detached signature is strongly discouraged; always
> specify the data file too.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWpAPVAAoJEOSsySeKZGgWNH8P/RucG7+AdTGtmhLcEo/OokDS
XHom0+l8CDCcZ0hqVlVkIsMYc9vuLMOB6RkCzW2DnYrt8yAyHFfJOwGI2Pohkq1A
zq2zNxqi8hBYdYu6M/HmPkxNTldlchcO2+zBbjqU2arTNVEWar4pdArRNDF0T84n
60W8P+NpmzIRxUcsAerdYL3kQ2KiLT/08Sj90OCBfrKLnJSTbgTvMEFG0NvudBle
a8LsAd1ZUrv8DjzNK02j/Caldos8dFir2njC7gvDsPwo3MIFfypHehUKoVAS8fiX
mDzjzQRS0fqGB9xGb0ppWcMuBUQ4Htd4xZSUgqcV6jeuemghSyXn8eSG/mZEOcZk
KECpZotZJz9pEVyxydFKG14KLRpUVTxHNcT7FiGZe4cXlNZ7Pdd2pWB+ijpsinIZ
ZPjjWbEQO4ugpV97WUf2sZua2cZPsl8P2Cbb6BVG7eO12mT7Hp0peXi4etnplNFp
9ihvj64J+cReABT64eeZKQk8DtBaZiMUUqXu3xEAtpF/ES3SNaG7b6/+Z48TO/Et
eMzsO9fnDfb5YZx8TACctw1aB0gMUWI1pkF2VZ677okYPSGfklbOwKXyP56pIXg3
sNv50QUzXdkSbKCeWkQCGpPBk6nUOgH1pYDshe9xj0JYYls/nkBNvDtn/GNCtG6l
kvhmhi0VQZFa1l3pZmJu
=j/Bj
-----END PGP SIGNATURE-----
Axon
Hash: SHA512
data in <filename>", so you can be sure it's verifying the contents of
<filename> and not just <filename>.asc.
However:
1. This line is easy to overlook.
2. Less experienced users wouldn't even know to look for it in the
first place.
For these reasons, I wholeheartedly agree that it's safest just to
explicitly provide the second argument every time.
> That's right. From man gpg:
>
>> Note: If the option --batch is not used, gpg may assume that a
>> single argument is a file with a detached signature and it will
>> try to find a matching data file by stripping certain suffixes.
>> Using this historical feature to verify a detached signature is
>> strongly discouraged; always specify the data file too.
>
the man page discourages it is an even stronger reason not to do it.
Change merged:
https://github.com/QubesOS/qubes-doc/commit/cabe3de0cfb4b25ae59c6fe3b3e9
Thanks, everyone!
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWpKj0AAoJEJh4Btx1RPV8hiUP/2b1Tzq35NrmJe9gWCBiQN1H
TZdwveEw7gxBSp8DuiP5Fur6+BI6ufV08UcJxq2yt3mq5jX/ZGVDfoFefC1dQ212
CgmUfTzkIFPSvqL1T0lxrRMiM2u0UASN8Xe2WAJadPiJIjmavWUJUYbBklcf1nFJ
SkR1lyt2i4/EBC6b/WdoJbB1bM2TfNrymt+MthQRLTngw3MuXltMFPR16eohxc3T
uwpzG7Tv5QFNjVq012+RPpliyBiFZfCNRrdTd4x8yHx4BtrZLGX0bp3DV5ZLVJnc
DCSY1Xe7wGLRz4L48NqLh4ve18Gc/EIdCbLWYlwoPc6qPiMC33g0Z7hcP8yIZ8fQ
w6H0uW8ED87vKlTZFItVYIkBR9egXyerjVXYsVUL4IvI2ozNplygyIPeSSxi6kP/
F26gC6kiL4QhVUbdYi2vlKeYiRDb8ZIqjXyugftLfgxLsPSieFmjim5FmHv0DJZZ
xEVry6qC6KoFOB4Gssa1Z9cfoaBus7jxgm0vvaW0sLSD3p2ZR+CyfqvKTY/w4na0
ongtWhF7QwBidv2KkvVyN+IvQRQ/gxlLaAAktZ9mxhr8x9CoO9AGvuOGVVHLI+xJ
XFgnCcSKWlxPlNzbg39dJ2dLCnd6ITtgnEm4f7VK0GSQ7m0QcLrXb7HjwPcKK9Xm
t8VcmoN2vjz3hHO3HZzV
=HEKs
-----END PGP SIGNATURE-----