On 03/29/2018 10:10 AM, Steven Walker wrote:
I am pretty much new to Qubes. Can anybody give me simple instructions on how
to verify my download. I have the iso asc, the digests file, and the signing
key asc.
Can someone help me through this?
Thank you,
Steven
Here is a condensed howto which avoids some issues with the Qubes doc
and gpg itself:
https://www.qubes-os.org/security/verifying-signatures/
1. Get the Qubes master key, preferably from more than one source or
network channel so you can check they are all identical.
https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
2. Get the signing key and iso files, as you already have.
3. Import the two keys:
$ gpg2 --import qubes-master-signing-key.asc
$ gpg2 --import qubes-release-4-signing-key.asc
3a. If you wish, additional verification of the Master key:
$ gpg2 --fingerprint
pub rsa4096 2010-04-01 [SC]
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
uid [ unknown] Qubes Master Signing Key
Then search for the Qubes master key fingerprint on a Google or a
keyserver, or view the 'verifying-signatures' doc linked above. Then
compare that hexadecimal fingerprint and make sure whats in your shell
matches what you see in the browser.
4. Verify the release key:
$ gpg2 --check-sigs
The output should look like this:
> pub rsa4096 2017-03-06 [SC]
> 5817A43B283DE5A9181A522E1848792F9E2795E9
> uid [ unknown] Qubes OS Release 4 Signing Key
> sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
> sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
You should see the Release 4 key in "uid" and nested under it the Master
key. The Master key line must begin with "sig!" including the
exclamation mark! If the exclamation is not present then the key is bad.
5. Verify the iso file:
$ gpg2 --verify Qubes-R4.0-x86_64.iso.asc Qubes-R4.0-x86_64.iso
You should see a message "Good signature from "Qubes OS Release 4
Signing Key"
Hope this helps!
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/f27a5258-419a-6b18-cb4f-a424746b8e34%40posteo.net.
For more options, visit https://groups.google.com/d/optout.