Re: [qubes-users] I am unable to verify my image. Please help?

2018-01-26 Thread Optimal Joy
> 
> If you have the key files on disk, use --import:
> $ gpg2 --import qubes-master-signing-key.asc
> $ gpg2 --import qubes-release-3-signing-key.asc
> 
> Then use --edit-key to set trust level to 4 on master key:
> $ gpg2 --edit-key 36879494
> gpg> trust
> gpg> save
> 
> Then check that master<>release signatures are valid:
> $ gpg2 --check-sigs
> 
> You'll see the release key as "uid ... Qubes OS Release 3 Signing Key"
> and directly underneath a line like:
> "sig! DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key"
> 
> After all of this, the thing that validates the Signing key is "sig!". 
> It shows the Release key has been signed by the Master key and "!" means 
> the signature is valid.
> 
> At this point, if you have taken care to verify the Master key by 
> retrieving it or viewing its fingerprint through other channels, then 
> your keys are all set. (Some people skip most of this and only import 
> the Singing key and verify its fingerprint, but I digress.)
> 
> You can now do the --verify step.


Thank you Chris (and sorry for the late response). I was able to verify my 
image.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6f0588bf-00dd-4e2a-a081-e7254475a832%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] I am unable to verify my image. Please help?

2018-01-25 Thread Optimal Joy
Hi. New to Qubes, just downloading it, and wish to verify my image.
I have downloaded my images and keys. Also got the master signing key.

user Downloads # wget 
https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso && wget 
https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc && wget 
https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso.asc
...
snip
...

I have these files now in my ~/Downloads directory:

-rw-r--r--  1 elliot elliot 1.6K Jan 25 11:21 qubes-master-signing-key.asc
-rw-r--r--  1 root   root819 Sep 20  2016 Qubes-R3.2-x86_64.iso.asc
-rw-r--r--  1 root   root   4.0G Sep 20  2016 Qubes-R3.2-x86_64.iso
-rw-r--r--  1 root   root   2.4K Nov 19  2014 qubes-release-3-signing-key.asc

I tried this command earlier to fetch the qubes-master key,
~/Downloads $ gpg2 --fetch-keys 
https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
gpg: requesting key from 
'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
gpg: WARNING: unable to fetch URI 
https://keys.qubes-os.org/keys/qubes-master-signing-key.asc: General error

Since it wasn't working, I manually downloaded the file from the Qubes site, 
however I am afraid that I only have the file, but have not imported the public 
key.

When trying to verify the iso, I get the following error:

Downloads # gpg2 --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
gpg: Signature made Tue 20 Sep 2016 10:33:37 AM PDT using RSA key ID 03FA5082
gpg: Can't check signature: No public key

How can I download/get my Public Key manually? Or what could be wrong with my 
fetch?

Help, thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bfcd7e1e-fc52-4340-87bd-e34f8c15187a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.