Re: [qubes-users] I am unable to verify my image. Please help?
> > If you have the key files on disk, use --import: > $ gpg2 --import qubes-master-signing-key.asc > $ gpg2 --import qubes-release-3-signing-key.asc > > Then use --edit-key to set trust level to 4 on master key: > $ gpg2 --edit-key 36879494 > gpg> trust > gpg> save > > Then check that master<>release signatures are valid: > $ gpg2 --check-sigs > > You'll see the release key as "uid ... Qubes OS Release 3 Signing Key" > and directly underneath a line like: > "sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key" > > After all of this, the thing that validates the Signing key is "sig!". > It shows the Release key has been signed by the Master key and "!" means > the signature is valid. > > At this point, if you have taken care to verify the Master key by > retrieving it or viewing its fingerprint through other channels, then > your keys are all set. (Some people skip most of this and only import > the Singing key and verify its fingerprint, but I digress.) > > You can now do the --verify step. Thank you Chris (and sorry for the late response). I was able to verify my image. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6f0588bf-00dd-4e2a-a081-e7254475a832%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I am unable to verify my image. Please help?
On 01/25/2018 03:33 PM, Optimal Joy wrote: Hi. New to Qubes, just downloading it, and wish to verify my image. I have downloaded my images and keys. Also got the master signing key. user Downloads # wget https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso && wget https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc && wget https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso.asc ... snip ... I have these files now in my ~/Downloads directory: -rw-r--r-- 1 elliot elliot 1.6K Jan 25 11:21 qubes-master-signing-key.asc -rw-r--r-- 1 root root819 Sep 20 2016 Qubes-R3.2-x86_64.iso.asc -rw-r--r-- 1 root root 4.0G Sep 20 2016 Qubes-R3.2-x86_64.iso -rw-r--r-- 1 root root 2.4K Nov 19 2014 qubes-release-3-signing-key.asc I tried this command earlier to fetch the qubes-master key, ~/Downloads $ gpg2 --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc' gpg: WARNING: unable to fetch URI https://keys.qubes-os.org/keys/qubes-master-signing-key.asc: General error Since it wasn't working, I manually downloaded the file from the Qubes site, however I am afraid that I only have the file, but have not imported the public key. When trying to verify the iso, I get the following error: Downloads # gpg2 --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso gpg: Signature made Tue 20 Sep 2016 10:33:37 AM PDT using RSA key ID 03FA5082 gpg: Can't check signature: No public key How can I download/get my Public Key manually? Or what could be wrong with my fetch? Help, thanks! If you have the key files on disk, use --import: $ gpg2 --import qubes-master-signing-key.asc $ gpg2 --import qubes-release-3-signing-key.asc Then use --edit-key to set trust level to 4 on master key: $ gpg2 --edit-key 36879494 gpg> trust gpg> save Then check that master<>release signatures are valid: $ gpg2 --check-sigs You'll see the release key as "uid ... Qubes OS Release 3 Signing Key" and directly underneath a line like: "sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key" After all of this, the thing that validates the Signing key is "sig!". It shows the Release key has been signed by the Master key and "!" means the signature is valid. At this point, if you have taken care to verify the Master key by retrieving it or viewing its fingerprint through other channels, then your keys are all set. (Some people skip most of this and only import the Singing key and verify its fingerprint, but I digress.) You can now do the --verify step. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/05229c42-86d5-eaa8-9881-ef86c6a59d9d%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] I am unable to verify my image. Please help?
Hi. New to Qubes, just downloading it, and wish to verify my image. I have downloaded my images and keys. Also got the master signing key. user Downloads # wget https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso && wget https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc && wget https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso.asc ... snip ... I have these files now in my ~/Downloads directory: -rw-r--r-- 1 elliot elliot 1.6K Jan 25 11:21 qubes-master-signing-key.asc -rw-r--r-- 1 root root819 Sep 20 2016 Qubes-R3.2-x86_64.iso.asc -rw-r--r-- 1 root root 4.0G Sep 20 2016 Qubes-R3.2-x86_64.iso -rw-r--r-- 1 root root 2.4K Nov 19 2014 qubes-release-3-signing-key.asc I tried this command earlier to fetch the qubes-master key, ~/Downloads $ gpg2 --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc' gpg: WARNING: unable to fetch URI https://keys.qubes-os.org/keys/qubes-master-signing-key.asc: General error Since it wasn't working, I manually downloaded the file from the Qubes site, however I am afraid that I only have the file, but have not imported the public key. When trying to verify the iso, I get the following error: Downloads # gpg2 --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso gpg: Signature made Tue 20 Sep 2016 10:33:37 AM PDT using RSA key ID 03FA5082 gpg: Can't check signature: No public key How can I download/get my Public Key manually? Or what could be wrong with my fetch? Help, thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bfcd7e1e-fc52-4340-87bd-e34f8c15187a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.