> Thanks, Chris! I got one step further: successfully verifying the ISO > signature with the Qubes OS Release 3 Signing Key. Should I still use > the Qubes Master Signing Key to verify that my Qubes OS Release 3 > Signing Key is good? If so, how to I use gpg4win to do this? > > Kyle
yes, you should check it. Qubes R3 key should be signed with the masterkey. this means that: 1-if you checked that the master key is original 2-and you see that R3 key is signed (certified) by the masterkey it means that also the R3 key is original without any other check (*because you trust the team behind qubes) to do this check using gpg4win you can: -from kleopatra: double click on the key, click certifications, and check that "qubes master key" is listed WITH THE CORRECT FINGERPRINT (the name is useless as anyone can generate a key called in that way, but noone can generate it with the correct fingerprint) -from gpa: click detailed than signatures; check that the master key is listed. the final question is how do you know that the master key is the original one? you can check these websites, all of them has a copy of the masterkey and all of them are https. here you can find the fingerprint: https://github.com/rootkovska/rootkovska.github.io/tree/master/keys https://keys.qubes-os.org/keys/ https://www.youtube.com/watch?v=S0TVw7U3MkE (near the end 46:51) https://hyperelliptic.org/PSC/slides/psc2015_qubesos.pdf (last slide) https://twitter.com/rootkovska/status/496976187491876864 all this might seem complex but in the end it means: -get masterkey and check that is original (get only once, but you can verify that fingerprint on your pc match the one on website many times in different moments) -get (only once) the r3/4 key and check that is signed (certified) by the masterkey, this means more or less: "me the masterkey, say that that this gpg key is the only real r3/4 key" -get the signature and the signed file and verify the signature: it should say "good" and should also say "signed using [fingerprint of] r3/r4 key" (the one that we trust because above points) i hope that i have not confused you more than you were before :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/31764a18-5989-8999-f7ec-1f75d2d55005%40posteo.net. For more options, visit https://groups.google.com/d/optout.
