Re: [qubes-users] Verifying Qubes 4.0
On 03/30/2018 09:39 AM, Steven Walker wrote: Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 I just imported the two keys. The version 4 signing key came back with "no ultimately trusted keys found". Is that an issue? Its not an immediate issue if you've just taken steps to check the Master key (as described). However, the verifying-signatures doc explains how to edit the Master key to set the trust level... its just an indicator from you saying "I trust this key" and that should make the "no ultimately trusted keys found" message go away. I didn't include it in my howto because it has a bug that can forget the setting. I am running it through budgie ubuntu. I currently have no qubes system installed. Am I doing this right? Sounds OK. I installed gpg2 in ubuntu to run this commands through terminal I'm going by Debian's gpg setup, which only includes version 2 and both 'gpg' and 'gpg2' are the same command. But other distros still include gpg 1.x so I found its better to always specify gpg2. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e538e2d4-29e9-1811-a61c-ead228f7ef8a%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Verifying Qubes 4.0
On Thursday, March 29, 2018 at 10:58:56 AM UTC-4, Chris Laprise wrote: > On 03/29/2018 10:10 AM, Steven Walker wrote: > > I am pretty much new to Qubes. Can anybody give me simple instructions on > > how to verify my download. I have the iso asc, the digests file, and the > > signing key asc. > > > > Can someone help me through this? > > > > Thank you, > > > > Steven > > > > > Here is a condensed howto which avoids some issues with the Qubes doc > and gpg itself: > https://www.qubes-os.org/security/verifying-signatures/ > > > 1. Get the Qubes master key, preferably from more than one source or > network channel so you can check they are all identical. > > https://keys.qubes-os.org/keys/qubes-master-signing-key.asc > > > 2. Get the signing key and iso files, as you already have. > > > 3. Import the two keys: > > $ gpg2 --import qubes-master-signing-key.asc > $ gpg2 --import qubes-release-4-signing-key.asc > > > 3a. If you wish, additional verification of the Master key: > > $ gpg2 --fingerprint > > > pub rsa4096 2010-04-01 [SC] > > 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 > > uid [ unknown] Qubes Master Signing Key > > Then search for the Qubes master key fingerprint on a Google or a > keyserver, or view the 'verifying-signatures' doc linked above. Then > compare that hexadecimal fingerprint and make sure whats in your shell > matches what you see in the browser. > > > 4. Verify the release key: > > $ gpg2 --check-sigs > > The output should look like this: > > > pub rsa4096 2017-03-06 [SC] > > 5817A43B283DE5A9181A522E1848792F9E2795E9 > > uid [ unknown] Qubes OS Release 4 Signing Key > > sig!31848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key > > sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key > > You should see the Release 4 key in "uid" and nested under it the Master > key. The Master key line must begin with "sig!" including the > exclamation mark! If the exclamation is not present then the key is bad. > > > 5. Verify the iso file: > > $ gpg2 --verify Qubes-R4.0-x86_64.iso.asc Qubes-R4.0-x86_64.iso > > You should see a message "Good signature from "Qubes OS Release 4 > Signing Key" > > > Hope this helps! > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 I just imported the two keys. The version 4 signing key came back with "no ultimately trusted keys found". Is that an issue? I am running it through budgie ubuntu. I currently have no qubes system installed. Am I doing this right? I installed gpg2 in ubuntu to run this commands through terminal Thanks, Steve -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eeabfe53-15db-4dc2-a4a7-726ee94daa79%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Verifying Qubes 4.0
On 03/29/2018 10:10 AM, Steven Walker wrote: I am pretty much new to Qubes. Can anybody give me simple instructions on how to verify my download. I have the iso asc, the digests file, and the signing key asc. Can someone help me through this? Thank you, Steven Here is a condensed howto which avoids some issues with the Qubes doc and gpg itself: https://www.qubes-os.org/security/verifying-signatures/ 1. Get the Qubes master key, preferably from more than one source or network channel so you can check they are all identical. https://keys.qubes-os.org/keys/qubes-master-signing-key.asc 2. Get the signing key and iso files, as you already have. 3. Import the two keys: $ gpg2 --import qubes-master-signing-key.asc $ gpg2 --import qubes-release-4-signing-key.asc 3a. If you wish, additional verification of the Master key: $ gpg2 --fingerprint pub rsa4096 2010-04-01 [SC] 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 uid [ unknown] Qubes Master Signing Key Then search for the Qubes master key fingerprint on a Google or a keyserver, or view the 'verifying-signatures' doc linked above. Then compare that hexadecimal fingerprint and make sure whats in your shell matches what you see in the browser. 4. Verify the release key: $ gpg2 --check-sigs The output should look like this: > pub rsa4096 2017-03-06 [SC] > 5817A43B283DE5A9181A522E1848792F9E2795E9 > uid [ unknown] Qubes OS Release 4 Signing Key > sig!31848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key > sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key You should see the Release 4 key in "uid" and nested under it the Master key. The Master key line must begin with "sig!" including the exclamation mark! If the exclamation is not present then the key is bad. 5. Verify the iso file: $ gpg2 --verify Qubes-R4.0-x86_64.iso.asc Qubes-R4.0-x86_64.iso You should see a message "Good signature from "Qubes OS Release 4 Signing Key" Hope this helps! -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f27a5258-419a-6b18-cb4f-a424746b8e34%40posteo.net. For more options, visit https://groups.google.com/d/optout.