Hi, I was attempting to verify the Qubes iso image today, but was not convinced of its trustworthiness, as the master signing key (or the version I have obtained) does seem to be signed by surprisingly little people I might trust.
In [1] it says: "In addition, some operating systems have built-in keyrings containing keys capable of validating the Qubes Master Signing Key. For example, if you have a Debian system, then your debian-keyring may already contain the necessary keys." However, in my version of the debian keyring, there seems to be only one key (Holger Levsen, 091AB856069AAA1C) that has signed the Qubes Master Signing Key. This seems to be a suspiciously small number for the claim above that the debian-keyring contains the "necessary keys" to verify the Qubes Master Signing Key. Also, I would expect the key to be signed by people such as Joanna, which does not seem to be the case. In [1] it also says: "The point is, of course, that people must choose who they will trust (e.g., Linus Torvalds, Microsoft, the Qubes Project, etc.) and assume that if a given file was signed by a trusted party, then it should not be malicious or buggy in some horrible way. But the decision of whether to trust any given party is beyond the scope of digital signatures. It’s more of a sociological and political decision." In order to be able to trust the Qubes key, I would like to be able to see signatures by people I am reasonably certain exist, are publicly known under a certain name, and associated to certain projects, etc, and then find paths from my key to theirs in order to verify that the key is from who it claims. Unfortunately, I wasn't able to find such signatures for the Qubes key. I hope there is a plausible explanation for the lack of signatures from the debian keyring and the main Qubes developers, or someone points out some silly mistake I made and these signatures are in fact present (for now I am assuming that the sources I obtained the iso and the key from are compromised). I am attaching the list of signatures on my version of the key below [2]. Cheers [1]: https://www.qubes-os.org/security/verifying-signatures/ [2]: gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-sigs DDFA1A3E36879494 pub rsa4096 2010-04-01 [SC] 427F11FD0FAA4B080123F01CDDFA1A3E36879494 uid [ unknown] Qubes Master Signing Key sig 3 DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key sig BAB94304346A5D14 2015-07-23 [User ID not found] sig A361949B65863FB6 2015-07-23 [User ID not found] sig 18F4E359596BF4C5 2016-06-28 [User ID not found] sig 98BA910BDC7CD1DE 2016-01-18 [User ID not found] sig E59015807B481F53 2016-10-05 [User ID not found] sig BEF78F80C54B1179 2016-11-09 [User ID not found] sig A157436DC3D9C2F5 2017-06-18 [User ID not found] sig 96E9DEEBACA1EC6D 2017-07-08 [User ID not found] sig 16DDD8FFAAB5B575 2016-04-07 [User ID not found] sig EEAC756152B70E0B 2014-05-30 [User ID not found] sig E2AE3676843538F4 2014-06-10 [User ID not found] sig 2067001B1B678A63 2015-12-10 [User ID not found] sig 8930975B0BA05E1B 2016-06-14 [User ID not found] sig DA4230CC10B0B381 2015-03-05 [User ID not found] sig 77CC0BFDC4D68105 2015-10-12 [User ID not found] sig 091AB856069AAA1C 2015-12-02 Holger Levsen <hol...@layer-acht.org> sig F8C0B051D67CF73E 2017-01-02 [User ID not found] sig 84E3926ACE3A08AB 2017-02-23 [User ID not found] sig ACA61935CAA2A7B8 2017-04-03 [User ID not found] sig 61D724CD1937CB57 2017-06-02 [User ID not found] sig 5B062613F489F90F 2017-06-02 [User ID not found] sig 1F6750FD3CBDCCE0 2012-12-08 [User ID not found] sig 1620DC5AC6A07D9C 2014-05-24 [User ID not found] sig 4EB460F79B747005 2016-01-30 [User ID not found] sig 31407CC0ED45A9B5 2017-01-20 [User ID not found] sig 29B7C7E57205BD8E 2017-04-10 [User ID not found] sig 3 295C746984AF7F0C 2015-12-11 [User ID not found] sig 3 2F99F921BB77E554 2015-12-11 [User ID not found] sig 3 0AF62DC0C9D6F090 2015-12-11 [User ID not found] sig 2 A876A8406F3C6AC7 2017-03-25 [User ID not found] sig D63F267FBD457A3B 2017-06-12 [User ID not found] sig 626FDCC7264685B9 2017-06-12 [User ID not found] sig 3 4BD7C4EEE2986940 2016-01-04 [User ID not found] sig 2F6CDC9841891922 2017-09-20 [User ID not found] sig 153FE398821C8394 2017-01-01 [User ID not found] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CANEwreP7eJV%3DHQdTY27_%3Dp01m%3DME_eCfdo37dUCYO-oa0wdaog%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
