On Mon, Oct 16, 2017 at 12:09:30AM +0200, 'Archimedes Cohen' via qubes-users wrote: > Hi, > > I was attempting to verify the Qubes iso image today, but was not > convinced of its trustworthiness, as the master signing key (or the > version I have obtained) does seem to be signed by surprisingly little > people I might trust. > > In [1] it says: > "In addition, some operating systems have built-in keyrings containing > keys capable of validating the Qubes Master Signing Key. For example, > if you have a Debian system, then your debian-keyring may already > contain the necessary keys." > > However, in my version of the debian keyring, there seems to be only > one key (Holger Levsen, 091AB856069AAA1C) that has signed the Qubes > Master Signing Key. This seems to be a suspiciously small number for > the claim above that the debian-keyring contains the "necessary keys" > to verify the Qubes Master Signing Key. > > Also, I would expect the key to be signed by people such as Joanna, > which does not seem to be the case. > > In [1] it also says: > "The point is, of course, that people must choose who they will trust > (e.g., Linus Torvalds, Microsoft, the Qubes Project, etc.) and assume > that if a given file was signed by a trusted party, then it should not > be malicious or buggy in some horrible way. But the decision of > whether to trust any given party is beyond the scope of digital > signatures. It’s more of a sociological and political decision." > > In order to be able to trust the Qubes key, I would like to be able to > see signatures by people I am reasonably certain exist, are publicly > known under a certain name, and associated to certain projects, etc, > and then find paths from my key to theirs in order to verify that the > key is from who it claims. Unfortunately, I wasn't able to find such > signatures for the Qubes key. I hope there is a plausible explanation > for the lack of signatures from the debian keyring and the main Qubes > developers, or someone points out some silly mistake I made and these > signatures are in fact present (for now I am assuming that the sources > I obtained the iso and the key from are compromised). I am attaching > the list of signatures on my version of the key below [2]. > > Cheers > > [1]: https://www.qubes-os.org/security/verifying-signatures/ >
Hi Archimedes, One reason why you wont find the key signed by "people like Joanna" is that they are likely to be using split gpg. It's one of the downsides of that implementation that one cant sign other's keys without breaking the security model. (See www.qubes-os.org/doc/split-gpg) It isn't really clear to me why you have the constraint that you have in order to trust the Qubes key. What do you think those people whose signatures you would accept will have done that you aren't capable of doing? I doubt that Holger has done anything more than run through the processes in [1] above before signing the key. And those are processes that you can do yourself - I'm tempted to say that you SHOULD do them yourself. Using the WOT may be just part of that validation, and not a necessary part. If it helps you can see the key in the mailing list, and in various youtube talks. Cheers unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171016020152.xqps23ctqxinbzy7%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
