On Sat, May 13, 2017 at 03:18:39PM -0500, Andrew David Wong wrote:
> There are many other methods you could use to attempt to verify the
> master key fingerprint aside from relying on the Qubes website. Here's
> a brief, non-exhaustive list:
> 
>  * Use different search engines to search for the fingerprint.
>  * Use Tor to view and search for the fingerprint on various websites.
>  * Use various VPNs and proxy servers.
>  * Use different Wi-Fi networks (work, school, internet cafe, etc.).
>  * Ask people to post the fingerprint in various forums and chat rooms.
>  * Check against PDFs and photographs in which the fingerprint appears
>    (e.g., slides from a talk or on a T-shirt).
>  * Repeat all of the above from different computers and devices.

Good examples! It would be nice if these were also on the verification
page [0].

I would like suggest an additional approach that might be useful as
well, which is using the debian-keyring. Assuming that the system
which you are using to download Qubes is running a legitimate Debian
(oh well), then you can easily verify Qubes' master key, as most of
the ones that signed it are either in that keyring or were signed by
others that are. This is what Tails instructs users to verify their
key in one of their guides [1].

Thanks,
-Felipe

[0]: https://www.qubes-os.org/security/verifying-signatures/
[1]: https://tails.boum.org/install/expert/usb/index.en.html#verify-key

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170513210114.GH6709%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to