Re: [qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
Ok sorry didn't know about the top posting thing, will be sure not to do it. My Qubes installer has been verified! Yay! thanks to everyone for your help! On Mon, Aug 19, 2019 at 12:16 PM unman wrote: > On Sun, Aug 18, 2019 at 01:32:51PM -0700, O K wrote: > > But what I don't understand is how to get the fingerprint of the master > key > > that I downloaded, so I can compare it to the ones online. The number > in > > the text is much longer than the fingerprint. > > > > On Sunday, August 18, 2019 at 1:43:41 PM UTC-4, Andrew David Wong wrote: > > > > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA512 > > > > > > On 18/08/2019 11.56 AM, O K wrote: > > > > Well the issue is the computer doesn't have access to internet at > > > > the moment. I have the sig file, master key file, and the iso, I > > > > just want to know if there is some way to go through the whole > > > > process of verification without the internet, by just checking > > > > numbers manually. > > > > > > > > > > Yes: > > > > > > 1. Hash the ISO on the computer without internet access. > > > > > > 2. On a computer with internet access, verify the signature on the > > >.DIGESTS file (or otherwise obtain a verified hash value). > > > > > > 3. Manually compare the value generated in step 1 with the > corresponding > > >verified value obtained in step 2 in order to ensure they match. > > > > > > P.S. -- Please avoid top-posting. > > > > > > > On Saturday, August 17, 2019 at 2:41:49 PM UTC-4, > > > > sourcexorapprentice wrote: > > > >> > > > >> The process is to verify the Qubes ISO signature is correct, and > > > >> not to trust a SHA256 checksum posted on the same website hosting > > > >> the file. The hash only confirms the integrity and not the > > > >> validity of the file (which may be infected). It's a security > > > >> theater exercise we're used to doing elsewhere in order to > > > >> provide us with the warm fuzzy feeling of a false sense of > > > >> security. > > > >> > > > >> Instructions here on how to verify the latest Qubes ISO is > > > >> legitimate: > > > >> https://www.qubes-os.org/security/verifying-signatures/ > > > >> > > > > > > - -- > > > Andrew David Wong (Axon) > > > Community Manager, Qubes OS > > > https://www.qubes-os.org > > > > > > -BEGIN PGP SIGNATURE- > > > > > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1ZjkAACgkQ203TvDlQ > > > MDD38A//Q4v/Kpvzxb/ur9X2BU1PwkHh7S3309FgwzJu5dM4Om9XzkTsHtyUsdAd > > > vnTtWCq/3jNaJQMS9NUOVHYoEkygnVUIzuGNgNlVwB42CwYWw8j5IieSY5UmtHrb > > > JQBfRqxmLYio4Q9D7r+Krk3esOb8QrG8KvFedweCmxDlmbdcsDxPyKhzkGEIq32H > > > nj9nDyS8yDtU2ktZHb/773zkJM7ByKhitFMhBmis1thzKGweKvlWOligkYs5HPDv > > > uQaLeg+dpbXMFaPfA9CCYbuF0PYyT0IWIp4jqAvPm2OzNP23PwqpekVUW1hMjjS9 > > > zHfFJHwf6tx6iuy/akDGaTPlYqlwqZHJpz3bSXrgqcNK1BK/7GrXL2VxjMg58h9Q > > > rw5xEfe8mNK7ozGCPWp0dFnaMw9KRwfpZAek1Bs/NFsyWKo8SABauRwX/Oin+HRl > > > /JhQ33VuE3BvyjTUML+0Oup2QCTCmJNSIZCkh5+6yFuetHhT+Zsux5aR3cpVH02B > > > oPRwCyLXjrEA/kmq9OVjNfFzY8fX9SIGueKvkj+mtOEAbkQf0q16kOviYbs4huOB > > > wObYYVPuhpQYK1zHIoHBMOrBQeV0kmixtK44StiP0vYoDvbHJvhzT4iqnyO9tR2V > > > YqIIP5HjGZeVHI60+QskdFR1s2dkFIQfX4M/LhnP7aOct6iH9BM= > > > =ny2S > > > -END PGP SIGNATURE- > > > > > Dont top-post on this list. > If your mailer puts the cursor at the top of the message, scroll to the > bottom before you start typing. > It takes you seconds, but makes it easier for everyone else who reads > your messages > > Did you read the guide here - > https://www.qubes-os.org/doc/installation-guide/ > > The signature on the web site uses short form (Qubes Master Signing Key > (0xDDFA1A3E36879494) ) > gpg qubes-master-signing-key.asc > gpg: WARNING: no command supplied. Trying to guess what you mean ... > pub rsa4096 2010-04-01 [SC] > 427F11FD0FAA4B080123F01CDDFA1A3E36879494 > uid Qubes Master Signing Key > > That is long form of fingerprint - if you look at the end you will see > *the same* characters. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "qubes-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/qubes-users/_nvI2ypREpY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/20190819161614.GA32650%40thirdeyesecurity.org > . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAF5PH%3DWeDC0DST2pDXb_dyqjiYga5hTxS0r3C7vXt7ja2k3LWw%40mail.gmail.com.
Re: [qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
On Sun, Aug 18, 2019 at 01:32:51PM -0700, O K wrote: > But what I don't understand is how to get the fingerprint of the master key > that I downloaded, so I can compare it to the ones online. The number in > the text is much longer than the fingerprint. > > On Sunday, August 18, 2019 at 1:43:41 PM UTC-4, Andrew David Wong wrote: > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > On 18/08/2019 11.56 AM, O K wrote: > > > Well the issue is the computer doesn't have access to internet at > > > the moment. I have the sig file, master key file, and the iso, I > > > just want to know if there is some way to go through the whole > > > process of verification without the internet, by just checking > > > numbers manually. > > > > > > > Yes: > > > > 1. Hash the ISO on the computer without internet access. > > > > 2. On a computer with internet access, verify the signature on the > >.DIGESTS file (or otherwise obtain a verified hash value). > > > > 3. Manually compare the value generated in step 1 with the corresponding > >verified value obtained in step 2 in order to ensure they match. > > > > P.S. -- Please avoid top-posting. > > > > > On Saturday, August 17, 2019 at 2:41:49 PM UTC-4, > > > sourcexorapprentice wrote: > > >> > > >> The process is to verify the Qubes ISO signature is correct, and > > >> not to trust a SHA256 checksum posted on the same website hosting > > >> the file. The hash only confirms the integrity and not the > > >> validity of the file (which may be infected). It's a security > > >> theater exercise we're used to doing elsewhere in order to > > >> provide us with the warm fuzzy feeling of a false sense of > > >> security. > > >> > > >> Instructions here on how to verify the latest Qubes ISO is > > >> legitimate: > > >> https://www.qubes-os.org/security/verifying-signatures/ > > >> > > > > - -- > > Andrew David Wong (Axon) > > Community Manager, Qubes OS > > https://www.qubes-os.org > > > > -BEGIN PGP SIGNATURE- > > > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1ZjkAACgkQ203TvDlQ > > MDD38A//Q4v/Kpvzxb/ur9X2BU1PwkHh7S3309FgwzJu5dM4Om9XzkTsHtyUsdAd > > vnTtWCq/3jNaJQMS9NUOVHYoEkygnVUIzuGNgNlVwB42CwYWw8j5IieSY5UmtHrb > > JQBfRqxmLYio4Q9D7r+Krk3esOb8QrG8KvFedweCmxDlmbdcsDxPyKhzkGEIq32H > > nj9nDyS8yDtU2ktZHb/773zkJM7ByKhitFMhBmis1thzKGweKvlWOligkYs5HPDv > > uQaLeg+dpbXMFaPfA9CCYbuF0PYyT0IWIp4jqAvPm2OzNP23PwqpekVUW1hMjjS9 > > zHfFJHwf6tx6iuy/akDGaTPlYqlwqZHJpz3bSXrgqcNK1BK/7GrXL2VxjMg58h9Q > > rw5xEfe8mNK7ozGCPWp0dFnaMw9KRwfpZAek1Bs/NFsyWKo8SABauRwX/Oin+HRl > > /JhQ33VuE3BvyjTUML+0Oup2QCTCmJNSIZCkh5+6yFuetHhT+Zsux5aR3cpVH02B > > oPRwCyLXjrEA/kmq9OVjNfFzY8fX9SIGueKvkj+mtOEAbkQf0q16kOviYbs4huOB > > wObYYVPuhpQYK1zHIoHBMOrBQeV0kmixtK44StiP0vYoDvbHJvhzT4iqnyO9tR2V > > YqIIP5HjGZeVHI60+QskdFR1s2dkFIQfX4M/LhnP7aOct6iH9BM= > > =ny2S > > -END PGP SIGNATURE- > > Dont top-post on this list. If your mailer puts the cursor at the top of the message, scroll to the bottom before you start typing. It takes you seconds, but makes it easier for everyone else who reads your messages Did you read the guide here - https://www.qubes-os.org/doc/installation-guide/ The signature on the web site uses short form (Qubes Master Signing Key (0xDDFA1A3E36879494) ) gpg qubes-master-signing-key.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096 2010-04-01 [SC] 427F11FD0FAA4B080123F01CDDFA1A3E36879494 uid Qubes Master Signing Key That is long form of fingerprint - if you look at the end you will see *the same* characters. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190819161614.GA32650%40thirdeyesecurity.org.
[qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
O K you have asked many different questions as you have proceeded, and I don't have a problem with that. At this point, you are asking the same question as this thread. I direct yo to the stack exchange link in that thread, which does ask other questons but they hinge on the answer to the quesstion of what gpg command will work to see the footprint of the xxx.pubkey file. https://groups.google.com/forum/#!topic/qubes-users/v9aaQ1SAG9I -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3df96577-7735-4544-bf7a-d6218798ebb1%40googlegroups.com.
Re: [qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
*On Sunday, August 18, 2019 at 1:20:30 PM UTC-7, O K wrote:* > > *Ok, I figured out the difference between sha and other process and I > guess it would be better to use the other process. I found some good > instructions along with qubes instructions so I will try to implement > those. Thanks.* > > Reply: I perform both the sha256sum verification on all downloaded ISO's > and also, unless I am lazy or in a rush, verify the signatures with gpg. As > stated in another reply, this safeguards in case there is a fake sha256sum > which, conveniently, matches a fake ISO installed by a malicious actor. > OK wrote: Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO? Yeah, I just want to know how to get the actual SHA-256 of the Qubes ISO. I don't know how to use DIGESTS. Is verifying the master file and sig file a different process than comparing the sha-256? Reply: They are different as per my above answer. However, afaik both not either. Tip: If you have the DIGEST, finding it often being the hard part, you are home free. Just find the line that corresponds to the version of the ISO you have. The correct sha256sum is listed right there. *OK wrote: Sorry, I know it's a pain bc I don't know much, but a yes or no is fine, I just want to be sure* I been into Qubes about three years still consider myself a newbie. Tip: do as much reading and tweaking on one's own before posting. *OK wrote: And what is top-posting? Thanks*. Top posting is when you write above rather than below what you are replying to. It is sometimes the default when you hit "Reply" on email, so afaik it is better to go to the google groups web page where you have more control. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a076f0a6-4ba9-4bbf-847d-8e0c3f439c8a%40googlegroups.com.
Re: [qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
But what I don't understand is how to get the fingerprint of the master key that I downloaded, so I can compare it to the ones online. The number in the text is much longer than the fingerprint. On Sunday, August 18, 2019 at 1:43:41 PM UTC-4, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 18/08/2019 11.56 AM, O K wrote: > > Well the issue is the computer doesn't have access to internet at > > the moment. I have the sig file, master key file, and the iso, I > > just want to know if there is some way to go through the whole > > process of verification without the internet, by just checking > > numbers manually. > > > > Yes: > > 1. Hash the ISO on the computer without internet access. > > 2. On a computer with internet access, verify the signature on the >.DIGESTS file (or otherwise obtain a verified hash value). > > 3. Manually compare the value generated in step 1 with the corresponding >verified value obtained in step 2 in order to ensure they match. > > P.S. -- Please avoid top-posting. > > > On Saturday, August 17, 2019 at 2:41:49 PM UTC-4, > > sourcexorapprentice wrote: > >> > >> The process is to verify the Qubes ISO signature is correct, and > >> not to trust a SHA256 checksum posted on the same website hosting > >> the file. The hash only confirms the integrity and not the > >> validity of the file (which may be infected). It's a security > >> theater exercise we're used to doing elsewhere in order to > >> provide us with the warm fuzzy feeling of a false sense of > >> security. > >> > >> Instructions here on how to verify the latest Qubes ISO is > >> legitimate: > >> https://www.qubes-os.org/security/verifying-signatures/ > >> > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1ZjkAACgkQ203TvDlQ > MDD38A//Q4v/Kpvzxb/ur9X2BU1PwkHh7S3309FgwzJu5dM4Om9XzkTsHtyUsdAd > vnTtWCq/3jNaJQMS9NUOVHYoEkygnVUIzuGNgNlVwB42CwYWw8j5IieSY5UmtHrb > JQBfRqxmLYio4Q9D7r+Krk3esOb8QrG8KvFedweCmxDlmbdcsDxPyKhzkGEIq32H > nj9nDyS8yDtU2ktZHb/773zkJM7ByKhitFMhBmis1thzKGweKvlWOligkYs5HPDv > uQaLeg+dpbXMFaPfA9CCYbuF0PYyT0IWIp4jqAvPm2OzNP23PwqpekVUW1hMjjS9 > zHfFJHwf6tx6iuy/akDGaTPlYqlwqZHJpz3bSXrgqcNK1BK/7GrXL2VxjMg58h9Q > rw5xEfe8mNK7ozGCPWp0dFnaMw9KRwfpZAek1Bs/NFsyWKo8SABauRwX/Oin+HRl > /JhQ33VuE3BvyjTUML+0Oup2QCTCmJNSIZCkh5+6yFuetHhT+Zsux5aR3cpVH02B > oPRwCyLXjrEA/kmq9OVjNfFzY8fX9SIGueKvkj+mtOEAbkQf0q16kOviYbs4huOB > wObYYVPuhpQYK1zHIoHBMOrBQeV0kmixtK44StiP0vYoDvbHJvhzT4iqnyO9tR2V > YqIIP5HjGZeVHI60+QskdFR1s2dkFIQfX4M/LhnP7aOct6iH9BM= > =ny2S > -END PGP SIGNATURE- > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b2778401-2b86-4f59-88a4-4e64744e4eb4%40googlegroups.com.
Re: [qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
Ok, I figured out the difference between sha and other process and I guess it would be better to use the other process. I found some good instructions along with qubes instructions so I will try to implement those. Thanks. On Sunday, August 18, 2019 at 1:43:41 PM UTC-4, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 18/08/2019 11.56 AM, O K wrote: > > Well the issue is the computer doesn't have access to internet at > > the moment. I have the sig file, master key file, and the iso, I > > just want to know if there is some way to go through the whole > > process of verification without the internet, by just checking > > numbers manually. > > > > Yes: > > 1. Hash the ISO on the computer without internet access. > > 2. On a computer with internet access, verify the signature on the >.DIGESTS file (or otherwise obtain a verified hash value). > > 3. Manually compare the value generated in step 1 with the corresponding >verified value obtained in step 2 in order to ensure they match. > > P.S. -- Please avoid top-posting. > > > On Saturday, August 17, 2019 at 2:41:49 PM UTC-4, > > sourcexorapprentice wrote: > >> > >> The process is to verify the Qubes ISO signature is correct, and > >> not to trust a SHA256 checksum posted on the same website hosting > >> the file. The hash only confirms the integrity and not the > >> validity of the file (which may be infected). It's a security > >> theater exercise we're used to doing elsewhere in order to > >> provide us with the warm fuzzy feeling of a false sense of > >> security. > >> > >> Instructions here on how to verify the latest Qubes ISO is > >> legitimate: > >> https://www.qubes-os.org/security/verifying-signatures/ > >> > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1ZjkAACgkQ203TvDlQ > MDD38A//Q4v/Kpvzxb/ur9X2BU1PwkHh7S3309FgwzJu5dM4Om9XzkTsHtyUsdAd > vnTtWCq/3jNaJQMS9NUOVHYoEkygnVUIzuGNgNlVwB42CwYWw8j5IieSY5UmtHrb > JQBfRqxmLYio4Q9D7r+Krk3esOb8QrG8KvFedweCmxDlmbdcsDxPyKhzkGEIq32H > nj9nDyS8yDtU2ktZHb/773zkJM7ByKhitFMhBmis1thzKGweKvlWOligkYs5HPDv > uQaLeg+dpbXMFaPfA9CCYbuF0PYyT0IWIp4jqAvPm2OzNP23PwqpekVUW1hMjjS9 > zHfFJHwf6tx6iuy/akDGaTPlYqlwqZHJpz3bSXrgqcNK1BK/7GrXL2VxjMg58h9Q > rw5xEfe8mNK7ozGCPWp0dFnaMw9KRwfpZAek1Bs/NFsyWKo8SABauRwX/Oin+HRl > /JhQ33VuE3BvyjTUML+0Oup2QCTCmJNSIZCkh5+6yFuetHhT+Zsux5aR3cpVH02B > oPRwCyLXjrEA/kmq9OVjNfFzY8fX9SIGueKvkj+mtOEAbkQf0q16kOviYbs4huOB > wObYYVPuhpQYK1zHIoHBMOrBQeV0kmixtK44StiP0vYoDvbHJvhzT4iqnyO9tR2V > YqIIP5HjGZeVHI60+QskdFR1s2dkFIQfX4M/LhnP7aOct6iH9BM= > =ny2S > -END PGP SIGNATURE- > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc7618fb-ebda-48d7-85f7-4fd3c80e9835%40googlegroups.com.
Re: [qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
Yeah, I just want to know how to get the actual SHA-256 of the Qubes ISO. I don't know how to use DIGESTS. Is verifying the master file and sig file a different process than comparing the sha-256? Do they provide the same level of security. Sorry, I know it's a pain bc I don't know much, but a yes or no is fine, I just want to be sure either process is fine. Checking sha-256 would be easiest for me since I already have it for the file I downloaded. And what is top-posting? Thanks. On Sunday, August 18, 2019 at 1:43:41 PM UTC-4, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 18/08/2019 11.56 AM, O K wrote: > > Well the issue is the computer doesn't have access to internet at > > the moment. I have the sig file, master key file, and the iso, I > > just want to know if there is some way to go through the whole > > process of verification without the internet, by just checking > > numbers manually. > > > > Yes: > > 1. Hash the ISO on the computer without internet access. > > 2. On a computer with internet access, verify the signature on the >.DIGESTS file (or otherwise obtain a verified hash value). > > 3. Manually compare the value generated in step 1 with the corresponding >verified value obtained in step 2 in order to ensure they match. > > P.S. -- Please avoid top-posting. > > > On Saturday, August 17, 2019 at 2:41:49 PM UTC-4, > > sourcexorapprentice wrote: > >> > >> The process is to verify the Qubes ISO signature is correct, and > >> not to trust a SHA256 checksum posted on the same website hosting > >> the file. The hash only confirms the integrity and not the > >> validity of the file (which may be infected). It's a security > >> theater exercise we're used to doing elsewhere in order to > >> provide us with the warm fuzzy feeling of a false sense of > >> security. > >> > >> Instructions here on how to verify the latest Qubes ISO is > >> legitimate: > >> https://www.qubes-os.org/security/verifying-signatures/ > >> > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1ZjkAACgkQ203TvDlQ > MDD38A//Q4v/Kpvzxb/ur9X2BU1PwkHh7S3309FgwzJu5dM4Om9XzkTsHtyUsdAd > vnTtWCq/3jNaJQMS9NUOVHYoEkygnVUIzuGNgNlVwB42CwYWw8j5IieSY5UmtHrb > JQBfRqxmLYio4Q9D7r+Krk3esOb8QrG8KvFedweCmxDlmbdcsDxPyKhzkGEIq32H > nj9nDyS8yDtU2ktZHb/773zkJM7ByKhitFMhBmis1thzKGweKvlWOligkYs5HPDv > uQaLeg+dpbXMFaPfA9CCYbuF0PYyT0IWIp4jqAvPm2OzNP23PwqpekVUW1hMjjS9 > zHfFJHwf6tx6iuy/akDGaTPlYqlwqZHJpz3bSXrgqcNK1BK/7GrXL2VxjMg58h9Q > rw5xEfe8mNK7ozGCPWp0dFnaMw9KRwfpZAek1Bs/NFsyWKo8SABauRwX/Oin+HRl > /JhQ33VuE3BvyjTUML+0Oup2QCTCmJNSIZCkh5+6yFuetHhT+Zsux5aR3cpVH02B > oPRwCyLXjrEA/kmq9OVjNfFzY8fX9SIGueKvkj+mtOEAbkQf0q16kOviYbs4huOB > wObYYVPuhpQYK1zHIoHBMOrBQeV0kmixtK44StiP0vYoDvbHJvhzT4iqnyO9tR2V > YqIIP5HjGZeVHI60+QskdFR1s2dkFIQfX4M/LhnP7aOct6iH9BM= > =ny2S > -END PGP SIGNATURE- > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cd27536b-7b06-4e80-811f-e7e382006506%40googlegroups.com.
Re: [qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 18/08/2019 11.56 AM, O K wrote: > Well the issue is the computer doesn't have access to internet at > the moment. I have the sig file, master key file, and the iso, I > just want to know if there is some way to go through the whole > process of verification without the internet, by just checking > numbers manually. > Yes: 1. Hash the ISO on the computer without internet access. 2. On a computer with internet access, verify the signature on the .DIGESTS file (or otherwise obtain a verified hash value). 3. Manually compare the value generated in step 1 with the corresponding verified value obtained in step 2 in order to ensure they match. P.S. -- Please avoid top-posting. > On Saturday, August 17, 2019 at 2:41:49 PM UTC-4, > sourcexorapprentice wrote: >> >> The process is to verify the Qubes ISO signature is correct, and >> not to trust a SHA256 checksum posted on the same website hosting >> the file. The hash only confirms the integrity and not the >> validity of the file (which may be infected). It's a security >> theater exercise we're used to doing elsewhere in order to >> provide us with the warm fuzzy feeling of a false sense of >> security. >> >> Instructions here on how to verify the latest Qubes ISO is >> legitimate: >> https://www.qubes-os.org/security/verifying-signatures/ >> - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1ZjkAACgkQ203TvDlQ MDD38A//Q4v/Kpvzxb/ur9X2BU1PwkHh7S3309FgwzJu5dM4Om9XzkTsHtyUsdAd vnTtWCq/3jNaJQMS9NUOVHYoEkygnVUIzuGNgNlVwB42CwYWw8j5IieSY5UmtHrb JQBfRqxmLYio4Q9D7r+Krk3esOb8QrG8KvFedweCmxDlmbdcsDxPyKhzkGEIq32H nj9nDyS8yDtU2ktZHb/773zkJM7ByKhitFMhBmis1thzKGweKvlWOligkYs5HPDv uQaLeg+dpbXMFaPfA9CCYbuF0PYyT0IWIp4jqAvPm2OzNP23PwqpekVUW1hMjjS9 zHfFJHwf6tx6iuy/akDGaTPlYqlwqZHJpz3bSXrgqcNK1BK/7GrXL2VxjMg58h9Q rw5xEfe8mNK7ozGCPWp0dFnaMw9KRwfpZAek1Bs/NFsyWKo8SABauRwX/Oin+HRl /JhQ33VuE3BvyjTUML+0Oup2QCTCmJNSIZCkh5+6yFuetHhT+Zsux5aR3cpVH02B oPRwCyLXjrEA/kmq9OVjNfFzY8fX9SIGueKvkj+mtOEAbkQf0q16kOviYbs4huOB wObYYVPuhpQYK1zHIoHBMOrBQeV0kmixtK44StiP0vYoDvbHJvhzT4iqnyO9tR2V YqIIP5HjGZeVHI60+QskdFR1s2dkFIQfX4M/LhnP7aOct6iH9BM= =ny2S -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/326a7be1-d3b1-e4b8-5bc1-32057f95f8e7%40qubes-os.org.
[qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
Well the issue is the computer doesn't have access to internet at the moment. I have the sig file, master key file, and the iso, I just want to know if there is some way to go through the whole process of verification without the internet, by just checking numbers manually. On Saturday, August 17, 2019 at 2:41:49 PM UTC-4, sourcexorapprentice wrote: > > The process is to verify the Qubes ISO signature is correct, and not to > trust a SHA256 checksum posted on the same website hosting the file. The > hash only confirms the integrity and not the validity of the file (which > may be infected). It's a security theater exercise we're used to doing > elsewhere in order to provide us with the warm fuzzy feeling of a false > sense of security. > > Instructions here on how to verify the latest Qubes ISO is legitimate: > https://www.qubes-os.org/security/verifying-signatures/ > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c296b2e2-2801-4a9b-84fd-abf0065afd2d%40googlegroups.com.
[qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
The process is to verify the Qubes ISO signature is correct, and not to trust a SHA256 checksum posted on the same website hosting the file. The hash only confirms the integrity and not the validity of the file (which may be infected). It's a security theater exercise we're used to doing elsewhere in order to provide us with the warm fuzzy feeling of a false sense of security. Instructions here on how to verify the latest Qubes ISO is legitimate: https://www.qubes-os.org/security/verifying-signatures/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7ba9c19f-a5be-40f8-96d1-15e0d067449c%40googlegroups.com.
