> ​Thanks, Chris!  ​I got one step further: successfully verifying the ISO
> signature with the Qubes OS Release 3 Signing Key.  Should I still use
> the Qubes Master Signing Key to verify that my Qubes OS Release 3
> Signing Key is good?  If so, how to I use gpg4win to do this?
> Kyle

yes, you should check it.

Qubes R3 key should be signed with the masterkey.
this means that:
1-if you checked that the master key is original
2-and you see that R3 key is signed (certified) by the masterkey

it means that also the R3 key is original without any other check
(*because you trust the team behind qubes)

to do this check using gpg4win you can:
-from kleopatra: double click on the key, click certifications, and
check that "qubes master key" is listed WITH THE CORRECT FINGERPRINT
(the name is useless as anyone can generate a key called in that way,
but noone can generate it with the correct fingerprint)

-from gpa: click detailed than signatures; check that the master key is

the final question is how do you know that the master key is the
original one?
you can check these websites, all of them has a copy of the masterkey
and all of them are https.
here you can find the fingerprint:
https://www.youtube.com/watch?v=S0TVw7U3MkE (near the end 46:51)
https://hyperelliptic.org/PSC/slides/psc2015_qubesos.pdf (last slide)

all this might seem complex but in the end it means:
-get masterkey and check that is original (get only once, but you can
verify that fingerprint on your pc match the one on website many times
in different moments)
-get (only once) the r3/4 key and check that is signed (certified) by
the masterkey, this means more or less: "me the masterkey, say that that
this gpg key is the only real r3/4 key"
-get the signature and the signed file and verify the signature: it
should say "good" and should also say "signed using [fingerprint of]
r3/r4 key" (the one that we trust because above points)

i hope that i have not confused you more than you were before :)

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to