Re: [qubes-users] Re: cannot verify signatures R4.0.4
On 3/26/21 6:50 PM, Franz wrote: On Fri, Mar 26, 2021 at 9:10 AM Franz <169...@gmail.com> wrote: Hello, everything seems to work fine: gpg2 --check-signatures "Qubes OS Release 4 Signing Key" pub rsa4096 2017-03-06 [SC] 5817A43B283DE5A9181A522E1848792F9E2795E9 uid [ full ] Qubes OS Release 4 Signing Key sig!31848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key gpg: 2 good signatures gpg2 -k "Qubes OS Release" pub rsa4096 2014-11-19 [SC] C52261BE0A823221D94CA1D1CB11CA1D03FA5082 uid [ full ] Qubes OS Release 3 Signing Key pub rsa4096 2017-03-06 [SC] 5817A43B283DE5A9181A522E1848792F9E2795E9 uid [ full ] Qubes OS Release 4 Signing Key but when I try to verify get unexpected error, even after downloading two times the files, and even after trying with Fedora and Debian: gpg2 -v --verify qubes-release-4-signing-key.asc Qubes-R4.0.4-x86_64.iso gpg: verify signatures failed: Unexpected error I found the problem: I downloaded Qubes release signing key rather than Detached PGP signature Yes, we already have a Troubleshooting FAQ entry for this situation: https://www.qubes-os.org/security/verifying-signatures/#why-am-i-getting-verify-signatures-failed-unexpected-data (It looks like GPG may have slightly changed their wording from "unexpected data" to "Unexpected error," but it should still be close enough to point you in the right direction.) Well frankly, IMO the name of the wrong file seems more appropriate than the right one. No, a key is completely different from a detached signature file. It would be incorrect to call the signature file a key. It would actually be *more* confusing, since then there would be two different types of things called "keys." How is "Detached PGP signature" supposed to be easy to understand? :-) Detached from what? Detached from the thing being verified (in this case, the ISO) as opposed to being included (as in a clearsigned text file, such as our signed hash values). That's just what it's called in the PGP/GPG world: https://www.gnupg.org/gph/en/manual/x135.html Well, I am sure it is detached from something, but I lost hours for nothing and other users may simply avoid verifying the iso if it is too complicated. That's why we provide such detailed step-by-step instructions and a troubleshooting FAQ at the bottom of the page: https://www.qubes-os.org/security/verifying-signatures/ Once there was only one file that could be downloaded. No, that was never the case with Qubes ISO verification. At minimum, you'd theoretically need two things: The PGP key and the clearsigned data (data + sig in a single file). However, in all of my years using and working on Qubes, I can't recall ever seeing a PGP signature included in an ISO as a single file (i.e., a "clearsigned ISO"). Not sure if it's even possible. Even if it were, it may not be desirable, since the ability to handle the ISO on its own is useful. (This is why we also include signed hash values as an alternative verification method.) Well I understand the additional files may have some additional use It's not like we're including extra files for the heck of it. All of the files we're providing to you are necessary for secure verification. None of them are optional in that process. Please carefully read this page again: https://www.qubes-os.org/security/verifying-signatures/ > but there are a lot of people that are not interested in that and just need an easy and fast way to get it going. For a user who primarily seeks security, it generally doesn't make sense to unsecurely install a high-security OS, since this can easily be a self-defeating exercise. Therefore, we our main focus is on high-security verification. Nonetheless, we also understand that different users seek varying levels of security and that some are attracted to Qubes for primary reasons other than security (e.g., control and compartmentalization, perhaps with security as a bonus). We understand that such users may appreciate another verification method that trades a small amount of security in exchange for a great amount of convenience, and there has been some exploration on this front: https://github.com/QubesOS/qubes-issues/issues/6191 So perhaps it may be more appropriate to add to the detached file also the wording "use this file to follow the Qubes verification tutorial" Sure, if it's possible to include extra comment text that doesn't interfere with the signature, it wouldn't hurt to point to the guide. I'll ask the team about this. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. T
[qubes-users] Re: cannot verify signatures R4.0.4
On Fri, Mar 26, 2021 at 9:10 AM Franz <169...@gmail.com> wrote: > Hello, > everything seems to work fine: > > gpg2 --check-signatures "Qubes OS Release 4 Signing Key" > pub rsa4096 2017-03-06 [SC] > 5817A43B283DE5A9181A522E1848792F9E2795E9 > uid [ full ] Qubes OS Release 4 Signing Key > sig!31848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key > sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key > gpg: 2 good signatures > > gpg2 -k "Qubes OS Release" > pub rsa4096 2014-11-19 [SC] > C52261BE0A823221D94CA1D1CB11CA1D03FA5082 > uid [ full ] Qubes OS Release 3 Signing Key > pub rsa4096 2017-03-06 [SC] > 5817A43B283DE5A9181A522E1848792F9E2795E9 > uid [ full ] Qubes OS Release 4 Signing Key > > but when I try to verify get unexpected error, even after downloading two > times the files, and even after trying with Fedora and Debian: > > gpg2 -v --verify qubes-release-4-signing-key.asc Qubes-R4.0.4-x86_64.iso > gpg: verify signatures failed: Unexpected error > > I found the problem: I downloaded Qubes release signing key rather than Detached PGP signature Well frankly, IMO the name of the wrong file seems more appropriate than the right one. How is "Detached PGP signature" supposed to be easy to understand? :-) Detached from what? Well, I am sure it is detached from something, but I lost hours for nothing and other users may simply avoid verifying the iso if it is too complicated. Once there was only one file that could be downloaded. Well I understand the additional files may have some additional use, but there are a lot of people that are not interested in that and just need an easy and fast way to get it going. So perhaps it may be more appropriate to add to the detached file also the wording "use this file to follow the Qubes verification tutorial" Best Franz -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qA8vf%2BmzbNk7Jtx3geszJ6AGn7FOT8Eyos4qrfgbhgEww%40mail.gmail.com.
Re: [qubes-users] HCL - SuperMicro X11SRA
Greetings from a fellow gaijin,* thank you for your HCL report! It is now part of this pull request: https://github.com/QubesOS/qubes-hcl/pull/55 ... and will be visible on the website soon! /Sven *(lived & worked in Tokyo from 2006-2010) -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/51aba9b1-3e3f-d0fb-3ce1-1e77cb425092%40SvenSemmler.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] HCL - SuperMicro X11SRA
Legacy boot in BIOS allows installation of R4.0.4 Some overall system stability issues using 5.x Linux kernel (frequent crashes). Performance is stable with a 4.x kernel. sys-net (Fedora 33) will not connect to wired LAN if the kernel is set to 5.x. A 4.x kernel is stable. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3b8998c58aeb42515c71b1a07f65d9a4%40riseup.net. --- layout: 'hcl' type: 'main server chassis' hvm: 'yes' iommu: 'yes' slat: 'yes' tpm: 'unknown' remap: 'yes' brand: | Supermicro model: | Super Server bios: | 1.2b cpu: | Intel(R) Xeon(R) W-2123 CPU @ 3.60GHz cpu-short: | FIXME chipset: | Intel Corporation Sky Lake-E DMI3 Registers [8086:2020] (rev 04) chipset-short: | FIXME gpu: | NVIDIA Corporation Device [10de:1cb6] (rev a1) (prog-if 00 [VGA controller]) gpu-short: | FIXME network: | Intel Corporation Ethernet Connection (2) I219-LM Aquantia Corp. Device d108 (rev 02) memory: | 147148 scsi: | TOSHIBA DT01ACA3 Rev: ABB0 DVDRAM GH24NSD5 Rev: LJ00 ST8000DM004-2CX1 Rev: 0001 WDC WD40EFRX-68N Rev: 0A82 Samsung SSD 840 Rev: BB6Q usb: | 2 versions: - works: 'FIXME:yes|no|partial' qubes: | R4.0 xen: | 4.8.5-30.fc25 kernel: | 4.19.155-1 remark: | FIXME credit: | FIXAUTHOR link: | FIXLINK ---
Re: [qubes-users] Whonix uwtwrapper Error using SSH / torsocks
'qubebe' via qubes-users: > Hi, > > I am new to QubesOS, and now wanted to just ssh into my server. > But if I want to ssh I get the following error message, I didn't changed > anything at the standard config (Whonix-ws-15): > > user@host:~$ ssh > uwtwrapper uwt wrapper ERROR: /usr/bin/ssh.anondist-orig does not exist. > > Could you please help me? > Install ssh. sudo apt update sudo apt install openssh-client -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3d2bf5fe-cbd7-5012-bf8f-5a8ac7d6554d%40whonix.org.
[qubes-users] cannot verify signatures R4.0.4
Hello, everything seems to work fine: gpg2 --check-signatures "Qubes OS Release 4 Signing Key" pub rsa4096 2017-03-06 [SC] 5817A43B283DE5A9181A522E1848792F9E2795E9 uid [ full ] Qubes OS Release 4 Signing Key sig!31848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key gpg: 2 good signatures gpg2 -k "Qubes OS Release" pub rsa4096 2014-11-19 [SC] C52261BE0A823221D94CA1D1CB11CA1D03FA5082 uid [ full ] Qubes OS Release 3 Signing Key pub rsa4096 2017-03-06 [SC] 5817A43B283DE5A9181A522E1848792F9E2795E9 uid [ full ] Qubes OS Release 4 Signing Key but when I try to verify get unexpected error, even after downloading two times the files, and even after trying with Fedora and Debian: gpg2 -v --verify qubes-release-4-signing-key.asc Qubes-R4.0.4-x86_64.iso gpg: verify signatures failed: Unexpected error -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qDm7xzBVXsRWmtjuK%2B6sAOkE5agFPpUeqdiy6fikPjeYg%40mail.gmail.com.