-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2018-08-17 00:58, Patrick Bouldin wrote: > On Thursday, August 16, 2018 at 6:43:50 PM UTC-4, Andrew David Wong wrote: >> On 2018-08-16 17:35, Andrew David Wong wrote: >>> On 2018-08-16 15:47, Patrick Bouldin wrote: >>>> Hi trying to validate 4.0. I downloaded the >>>> qubes-master-signing-key.asc and then not able to progress. I did >>>> find Joanna's qubes master signing key footprint, but I don't know >>>> how to compare or take the next step... >>> >>>> I did this with 3.0 a few years ago but can't remember... >>> >>>> I did check the web site and still don't know. >>> >>>> Thanks. >>> >>> >>> If you just want to see the fingerprint of the key you downloaded as a >>> file so that you can compare it to the fingerprint you obtained >>> through another channel, this is probably the simplest way: >>> >>> $ gpg2 qubes-master-signing-key.asc >>> gpg: WARNING: no command supplied. Trying to guess what you mean ... >>> pub rsa4096 2010-04-01 [SC] >>> 427F11FD0FAA4B080123F01CDDFA1A3E36879494 >>> uid Qubes Master Signing Key >>> >> >> If you're using gpg instead of gpg2, there's the --with-fingerprint >> option: >> >> $ gpg --with-fingerprint qubes-master-signing-key.asc >> gpg: keyring `/home/user/.gnupg/secring.gpg' created >> pub 4096R/36879494 2010-04-01 Qubes Master Signing Key >> Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 >> > > Thanks and a quick question. I did get a final "Good signature", but curious, > does that process actually modify the iso at all? Just would like to know > because I pulled the iso file from my other pc and it will be easier to build > the flash there. >
No, checking the signature doesn't modify the ISO at all. However, since you're using a second machine to perform the signature verification, it's worth noting that you should, in principle, trust the second machine at least as much as the first one. If the second machine were compromised, it could falsely claim that the signature is good even if the ISO on the first machine were compromised. (Depending on your threat model, this risk may be acceptably low. Just thought I'd mention it.) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlt3uXsACgkQ203TvDlQ MDD89RAAqO1bys4YGaiFTg5pt17pEGQ5MzXEqd6ryClX03kTmWnEZYypjRqj3rIM sHZEEDNbMFeo61mKw+x9tjPguQgOPnjOdv9AsG2SR0tJn/fytAHKxb3PyYi4y7SQ 03Nss4n/amfhUQM8U0TGUPwc8T5LJOS7sSyc8QTyUryvDqSar4r0ocjn5xHE91G8 o0Cmk11VLMJqtOHdf2jCIPQq4hOnBGDkw7csmbjzMrj/ZBQH7kwSHHusvhYvPiN0 dJAXFZH+vAWvYJmP8wwCjr8aTNUTupXyWMrRTRBYWKmXI2EsFZq+FeGINFscZKOS TLH7BRyKwRa1UFm0wltEQKk9rFT7GDoAij/N8341WVBPbfpzOaupZkhk85jOofca C4yQhosquXzvOpYFhU8N/3JUirOGt+wCt0td6Ji7xdlPiJ92bl7aUy7UN3NzGPDa O9A8i1EgaMo7uu3ytMPyoVDWC47vun2St3JhiX5ydDgXFefb9JAvnaT6JBuAE03k zEdQN7nfqmQMdwfAgyNYN60VQEa/B6aa1FXA+ZAU93qYr/c/qZz9dAhIKHL1nQzp HEmVyUOWGGelsdc8utZtSxH+D4niORYEwRFZmvFMk/9SSr9vtICdTKjmkE2SrMJa QXWukqraTy2fT6uRsV7mrOV09vmcrl//AAhv7oAIruX5PVSVpoE= =e9xj -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/db3dbdeb-f3ce-6799-36df-bcd8b51e38f7%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
