Re: [qubes-users] Verifying Qubes 4.0

[Chris Laprise]

On 03/29/2018 10:10 AM, Steven Walker wrote:
I am pretty much new to Qubes. Can anybody give me simple instructions on how 
to verify my download. I have the iso asc, the digests file, and the signing 
key asc.
Can someone help me through this?

Thank you,

Steven



Here is a condensed howto which avoids some issues with the Qubes doc 
and gpg itself:
https://www.qubes-os.org/security/verifying-signatures/


1. Get the Qubes master key, preferably from more than one source or 
network channel so you can check they are all identical.

https://keys.qubes-os.org/keys/qubes-master-signing-key.asc


2. Get the signing key and iso files, as you already have.


3. Import the two keys:

$ gpg2 --import qubes-master-signing-key.asc
$ gpg2 --import qubes-release-4-signing-key.asc


3a. If you wish, additional verification of the Master key:

$ gpg2 --fingerprint

pub   rsa4096 2010-04-01 [SC]
      427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
uid           [ unknown] Qubes Master Signing Key

Then search for the Qubes master key fingerprint on a Google or a 
keyserver, or view the 'verifying-signatures' doc linked above. Then 
compare that hexadecimal fingerprint and make sure whats in your shell 
matches what you see in the browser.


4. Verify the release key:

$ gpg2 --check-sigs

The output should look like this:

> pub   rsa4096 2017-03-06 [SC]
>       5817A43B283DE5A9181A522E1848792F9E2795E9
> uid           [ unknown] Qubes OS Release 4 Signing Key
> sig!3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
> sig!         DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key

You should see the Release 4 key in "uid" and nested under it the Master 
key. The Master key line must begin with "sig!" including the 
exclamation mark! If the exclamation is not present then the key is bad.


5. Verify the iso file:

$ gpg2 --verify Qubes-R4.0-x86_64.iso.asc Qubes-R4.0-x86_64.iso

You should see a message "Good signature from "Qubes OS Release 4 
Signing Key"


Hope this helps!

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f27a5258-419a-6b18-cb4f-a424746b8e34%40posteo.net.
For more options, visit https://groups.google.com/d/optout.