-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2016-12-28 04:39, john.david.r.smith wrote: > currently when i have qubes and need a new image (e.g. to > reinstall/install on a new machine), i need to download the image > from qubes-os.org and then check the signature. > > this may be a source of errors for some users, or even insecure > (mitm + exchanging the master signing key information on the > website + patching the downloaded image).
I know what you mean, but it's worth remembering that the Qubes Master Signing Key fingerprint is supposed to be verified out-of-band/multiband. So, in principle, replacing the key and/or fingerprint only just qubes-os.org shouldn't work as a successful attack vector. > also checking signatures manually should unnecessary since a > package manager is build to do such stuff. > > i would propose to add the qubes-images as packages to the repos. > Interesting idea. I wonder whether this would count as a misuse of the repos/package manager. One thing is that we'd like to offload most of the traffic to a mirror (e.g., mirrors.kernel.org, as we currently do). > maybe you could get other official repos to add them, too. (debian > (+ubuntu), fedora and arch should reach a significant portion of > the linux users) > Another interesting idea. I've never heard of a distro adding a different OS's ISO as a package of their own, though. > also: is the public qubes master signing key somewher in dom0? in > case a user has not saved it, this could circumvent the problem of > an mitm exchanging the information about the signing key > I recall someone suggesting this a long time ago, and I (think I) also recall Marek doing it, but I can't find the original thread or issue, and I don't see the key in `/etc/pki/rpm-gpg/`. Tracking: https://github.com/QubesOS/qubes-issues/issues/2544 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYZAb2AAoJENtN07w5UDAwVmYQAL2DSynbnJaceUIR2Mv2hvCz 7lS6oq/4HIpUtj1DJbib041EniapfId/LFzZKeh5FoE2bEkhrBRezW2A5TG6N4Dt AKtK9Vgtj84MEP8E2eb2xMyANZ2WXtCeEYN9n4lOKzx8ETg1ZS0r054CYA3lSsWk oLuJO59RcSjXUMaP4Myj0KkOnYpT8+N/fhzB6aps8sG1TK1AlyAsnMygCQfMmkdp k6apddL2E1ivEhvZKXN27dKbLxR12IMMDYKBzqb1edGTh4FaJ/4ulKPfFgAOiKQj biWK+/75LCecNHkuPeEKtt3LdWqfIqNFTjLLgoTn3QpTeIIbx8Gf/lDIWLh/G7uJ TXFpo9J94Ra1UB44zt5/D7NqK/n6jxDPM5pbYZrbgVacZ8nRxNCAW3jSJEhqMK75 2Pmx+0MGd29M6kb9Iawk34KdmW3dGt7Mmqp44ZRtgErVkRvwuF6SLqnotH8Sp0W4 lzW2RU+ZTt5UBin1HsWGiN4bljUhGBbC3m88lywp3XIwa0q13H9+cSywXzj52JID quCS4UXe2uLazDCMES8QJzhSAim17PlO3LXmr5X0iuh7CUB6SOyXqbF/HrDmRKMA 3Be1wU7+vK/NGnSCD4X5ArIPou02UTjxyebciCHu1uKQKVHC2UE/YHHL+Opxw8td Ex9Yvsv9l3hNJ0bjv+O+ =3jP9 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bc34e4b7-84a6-25c7-e24e-719a28a8b36b%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
