> > If you have the key files on disk, use --import: > $ gpg2 --import qubes-master-signing-key.asc > $ gpg2 --import qubes-release-3-signing-key.asc > > Then use --edit-key to set trust level to 4 on master key: > $ gpg2 --edit-key 36879494 > gpg> trust > gpg> save > > Then check that master<>release signatures are valid: > $ gpg2 --check-sigs > > You'll see the release key as "uid ... Qubes OS Release 3 Signing Key" > and directly underneath a line like: > "sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key" > > After all of this, the thing that validates the Signing key is "sig!". > It shows the Release key has been signed by the Master key and "!" means > the signature is valid. > > At this point, if you have taken care to verify the Master key by > retrieving it or viewing its fingerprint through other channels, then > your keys are all set. (Some people skip most of this and only import > the Singing key and verify its fingerprint, but I digress.) > > You can now do the --verify step.
Thank you Chris (and sorry for the late response). I was able to verify my image. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6f0588bf-00dd-4e2a-a081-e7254475a832%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.