[qubes-users] Confused about verifying signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2018-08-17 00:58, Patrick Bouldin wrote: > On Thursday, August 16, 2018 at 6:43:50 PM UTC-4, Andrew David Wong wrote: >> On 2018-08-16 17:35, Andrew David Wong wrote: >>> On 2018-08-16 15:47, Patrick Bouldin wrote: Hi trying to validate 4.0. I downloaded the qubes-master-signing-key.asc and then not able to progress. I did find Joanna's qubes master signing key footprint, but I don't know how to compare or take the next step... >>> I did this with 3.0 a few years ago but can't remember... >>> I did check the web site and still don't know. >>> Thanks. >>> >>> >>> If you just want to see the fingerprint of the key you downloaded as a >>> file so that you can compare it to the fingerprint you obtained >>> through another channel, this is probably the simplest way: >>> >>> $ gpg2 qubes-master-signing-key.asc >>> gpg: WARNING: no command supplied. Trying to guess what you mean ... >>> pub rsa4096 2010-04-01 [SC] >>> 427F11FD0FAA4B080123F01CDDFA1A3E36879494 >>> uid Qubes Master Signing Key >>> >> >> If you're using gpg instead of gpg2, there's the --with-fingerprint >> option: >> >> $ gpg --with-fingerprint qubes-master-signing-key.asc >> gpg: keyring `/home/user/.gnupg/secring.gpg' created >> pub 4096R/36879494 2010-04-01 Qubes Master Signing Key >> Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 >> > > Thanks and a quick question. I did get a final "Good signature", but curious, > does that process actually modify the iso at all? Just would like to know > because I pulled the iso file from my other pc and it will be easier to build > the flash there. > No, checking the signature doesn't modify the ISO at all. However, since you're using a second machine to perform the signature verification, it's worth noting that you should, in principle, trust the second machine at least as much as the first one. If the second machine were compromised, it could falsely claim that the signature is good even if the ISO on the first machine were compromised. (Depending on your threat model, this risk may be acceptably low. Just thought I'd mention it.) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlt3uXsACgkQ203TvDlQ MDD89RAAqO1bys4YGaiFTg5pt17pEGQ5MzXEqd6ryClX03kTmWnEZYypjRqj3rIM sHZEEDNbMFeo61mKw+x9tjPguQgOPnjOdv9AsG2SR0tJn/fytAHKxb3PyYi4y7SQ 03Nss4n/amfhUQM8U0TGUPwc8T5LJOS7sSyc8QTyUryvDqSar4r0ocjn5xHE91G8 o0Cmk11VLMJqtOHdf2jCIPQq4hOnBGDkw7csmbjzMrj/ZBQH7kwSHHusvhYvPiN0 dJAXFZH+vAWvYJmP8wwCjr8aTNUTupXyWMrRTRBYWKmXI2EsFZq+FeGINFscZKOS TLH7BRyKwRa1UFm0wltEQKk9rFT7GDoAij/N8341WVBPbfpzOaupZkhk85jOofca C4yQhosquXzvOpYFhU8N/3JUirOGt+wCt0td6Ji7xdlPiJ92bl7aUy7UN3NzGPDa O9A8i1EgaMo7uu3ytMPyoVDWC47vun2St3JhiX5ydDgXFefb9JAvnaT6JBuAE03k zEdQN7nfqmQMdwfAgyNYN60VQEa/B6aa1FXA+ZAU93qYr/c/qZz9dAhIKHL1nQzp HEmVyUOWGGelsdc8utZtSxH+D4niORYEwRFZmvFMk/9SSr9vtICdTKjmkE2SrMJa QXWukqraTy2fT6uRsV7mrOV09vmcrl//AAhv7oAIruX5PVSVpoE= =e9xj -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/db3dbdeb-f3ce-6799-36df-bcd8b51e38f7%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Confused about verifying signatures
On Fri, August 17, 2018 5:58 am, Patrick Bouldin wrote: >>> On 2018-08-16 15:47, Patrick Bouldin wrote: >>> Hi trying to validate 4.0. I downloaded the qubes-master-signing-key.asc and then not able to progress. I did find Joanna's qubes master signing key footprint, but I don't know how to compare or take the next step... > > Thanks and a quick question. I did get a final "Good signature", but > curious, does that process actually modify the iso at all? Just would > like to know because I pulled the iso file from my other pc and it will > be easier to build the flash there. Assuming you're still talking about the validation process; no, that would not modify the iso. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3921c39f6da73478b34d77ff5c96bb3a.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Confused about verifying signatures
On Thursday, August 16, 2018 at 6:43:50 PM UTC-4, Andrew David Wong wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2018-08-16 17:35, Andrew David Wong wrote: > > On 2018-08-16 15:47, Patrick Bouldin wrote: > >> Hi trying to validate 4.0. I downloaded the > >> qubes-master-signing-key.asc and then not able to progress. I did > >> find Joanna's qubes master signing key footprint, but I don't know > >> how to compare or take the next step... > > > >> I did this with 3.0 a few years ago but can't remember... > > > >> I did check the web site and still don't know. > > > >> Thanks. > > > > > > If you just want to see the fingerprint of the key you downloaded as a > > file so that you can compare it to the fingerprint you obtained > > through another channel, this is probably the simplest way: > > > > $ gpg2 qubes-master-signing-key.asc > > gpg: WARNING: no command supplied. Trying to guess what you mean ... > > pub rsa4096 2010-04-01 [SC] > > 427F11FD0FAA4B080123F01CDDFA1A3E36879494 > > uid Qubes Master Signing Key > > > > If you're using gpg instead of gpg2, there's the --with-fingerprint > option: > > $ gpg --with-fingerprint qubes-master-signing-key.asc > gpg: keyring `/home/user/.gnupg/secring.gpg' created > pub 4096R/36879494 2010-04-01 Qubes Master Signing Key > Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlt1/gQACgkQ203TvDlQ > MDASEA//a1TzjaaAPwNS12GHWollY2WGqpSK7RZNEsHkBSJYPTaNayqOHXx2yzQ2 > Re5uPgpHofCYxNx96VhKFDE9rIo17ozrLrr+ZywESDn5GoIzM7BtUaKTR5GQWZx1 > E9vALH50GtNJAdb/SumOcdsDxrDj139wjcAuypWBDXK6lxF2hR/nDr7RZMxvfwTF > uixM4LP7zhwOafLAbhXsa9wyu6ZsooTicdiSit+iQPk15oxLGjUSncQcIYuRLdvX > yLht5/2ZPST1Jm9HyEEwOllMN4eFrMAc/StHhVxPWlUiqtr3xMki3IWZV+xi8sMh > Ri0HmASNzLn4JwNQnPFQqnT+Z4Im8tiH24w/T8eHhP2hLo8tEfd5aq26xl0NoRbU > Hcc69XXjzITQIi2d7YZHgtNgrml8zCjTRF+9p14cLyFFl2ISJsEZeus/egQWE6Rv > aRMR+IPDG8HqCWepV+Y/of3lb+uqd7SBVJdcRavf/Jrlf/9AOeCRDUteTGsiJE14 > U9FksIiiZRclcHR+NFeZSbINvwlwNx2tO7o7YcbBxmqPMzsg20gHYfuI3GAnMY/R > yHX52v6sXcM/4Y08TrTTHV1l+/EPUOnOb3adaIejNyEiHB5WiQ3fgoEwpX3GkKTb > iCt4TJJKo6KRSG2EzMMLH0s69gGphqLtgC5+zEQg4X7NWpFzWX4= > =cBsO > -END PGP SIGNATURE- Thanks and a quick question. I did get a final "Good signature", but curious, does that process actually modify the iso at all? Just would like to know because I pulled the iso file from my other pc and it will be easier to build the flash there. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8b5b5988-ee3d-43ab-a229-e1a2d176e27f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Confused about verifying signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2018-08-16 17:35, Andrew David Wong wrote: > On 2018-08-16 15:47, Patrick Bouldin wrote: >> Hi trying to validate 4.0. I downloaded the >> qubes-master-signing-key.asc and then not able to progress. I did >> find Joanna's qubes master signing key footprint, but I don't know >> how to compare or take the next step... > >> I did this with 3.0 a few years ago but can't remember... > >> I did check the web site and still don't know. > >> Thanks. > > > If you just want to see the fingerprint of the key you downloaded as a > file so that you can compare it to the fingerprint you obtained > through another channel, this is probably the simplest way: > > $ gpg2 qubes-master-signing-key.asc > gpg: WARNING: no command supplied. Trying to guess what you mean ... > pub rsa4096 2010-04-01 [SC] > 427F11FD0FAA4B080123F01CDDFA1A3E36879494 > uid Qubes Master Signing Key > If you're using gpg instead of gpg2, there's the --with-fingerprint option: $ gpg --with-fingerprint qubes-master-signing-key.asc gpg: keyring `/home/user/.gnupg/secring.gpg' created pub 4096R/36879494 2010-04-01 Qubes Master Signing Key Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlt1/gQACgkQ203TvDlQ MDASEA//a1TzjaaAPwNS12GHWollY2WGqpSK7RZNEsHkBSJYPTaNayqOHXx2yzQ2 Re5uPgpHofCYxNx96VhKFDE9rIo17ozrLrr+ZywESDn5GoIzM7BtUaKTR5GQWZx1 E9vALH50GtNJAdb/SumOcdsDxrDj139wjcAuypWBDXK6lxF2hR/nDr7RZMxvfwTF uixM4LP7zhwOafLAbhXsa9wyu6ZsooTicdiSit+iQPk15oxLGjUSncQcIYuRLdvX yLht5/2ZPST1Jm9HyEEwOllMN4eFrMAc/StHhVxPWlUiqtr3xMki3IWZV+xi8sMh Ri0HmASNzLn4JwNQnPFQqnT+Z4Im8tiH24w/T8eHhP2hLo8tEfd5aq26xl0NoRbU Hcc69XXjzITQIi2d7YZHgtNgrml8zCjTRF+9p14cLyFFl2ISJsEZeus/egQWE6Rv aRMR+IPDG8HqCWepV+Y/of3lb+uqd7SBVJdcRavf/Jrlf/9AOeCRDUteTGsiJE14 U9FksIiiZRclcHR+NFeZSbINvwlwNx2tO7o7YcbBxmqPMzsg20gHYfuI3GAnMY/R yHX52v6sXcM/4Y08TrTTHV1l+/EPUOnOb3adaIejNyEiHB5WiQ3fgoEwpX3GkKTb iCt4TJJKo6KRSG2EzMMLH0s69gGphqLtgC5+zEQg4X7NWpFzWX4= =cBsO -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9ce6f7d7-47ca-8c8b-bc3b-01668d67eb56%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Confused about verifying signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2018-08-16 15:47, Patrick Bouldin wrote: > Hi trying to validate 4.0. I downloaded the > qubes-master-signing-key.asc and then not able to progress. I did > find Joanna's qubes master signing key footprint, but I don't know > how to compare or take the next step... > > I did this with 3.0 a few years ago but can't remember... > > I did check the web site and still don't know. > > Thanks. > If you just want to see the fingerprint of the key you downloaded as a file so that you can compare it to the fingerprint you obtained through another channel, this is probably the simplest way: $ gpg2 qubes-master-signing-key.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096 2010-04-01 [SC] 427F11FD0FAA4B080123F01CDDFA1A3E36879494 uid Qubes Master Signing Key - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlt1/BcACgkQ203TvDlQ MDCmuA//Y7xSLlrHkdO4zLm+7FP3xyBFMCguQkVqLQ5JYcRuvCJRVtORHQL6V/rg A7WL7pfOaADv9hT8uCgr/wMnjfYE2L3IwyL1l7MzxKDB0XjqE7e/0xwVXRIjj9ow UynpuDQXsdiRn+Xyj52eLZiNUBrbuNbVjuTXIJTpuasAt0ZVYRLN8abv19EIbmqs 1LmNdIPoHGYW7oFPS64OiZ+phQgVMC28+dkIWF6xo3i9XETSTFvJhB3miwhNYYOq Ge4Xg9fzFFoz2NTHMPvm7g66hoyTaz6kODFEX7r2Sn6uJVyF/lvBqujg3q2BBiKK z1UlF/bGQiv9bcKYwgtyd6ipSoNlbTYGkZ3cTIcKA4X/gtVtFI8/mpI+0xG5iaPz YWs9t3QQoUd/Z5SGZhT4D5aUyMwuo6+jxajNjS4mfjLNuPdbFEvPjNuAFwDamvKW D0OQJoQ/DVvgVzfU/L0L3bH3GMiutZSyIW69/iZCgaLgUkxU8wduCN0T0o2RrxQz 00qn+LMlYJHe8d2omj1jPQBbuZQ+jetbsj2vZrsnfCVUylGZqzAxcqLJUtxn2NYn oKYaqd0o9k2zkBgiQv1TEltcekG3h4mTmqa5c6OgJpt+U0dBARHscKdhWE64x/p6 ycAN9dHkpGVcV99PPVeNuh4EmOhxc5lrflUujeUzGS8mUmgqy2w= =wZdA -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8b5041d3-9fb0-9605-374e-98ec0b1702b1%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.