On Sat, May 13, 2017 at 03:18:39PM -0500, Andrew David Wong wrote: > There are many other methods you could use to attempt to verify the > master key fingerprint aside from relying on the Qubes website. Here's > a brief, non-exhaustive list: > > * Use different search engines to search for the fingerprint. > * Use Tor to view and search for the fingerprint on various websites. > * Use various VPNs and proxy servers. > * Use different Wi-Fi networks (work, school, internet cafe, etc.). > * Ask people to post the fingerprint in various forums and chat rooms. > * Check against PDFs and photographs in which the fingerprint appears > (e.g., slides from a talk or on a T-shirt). > * Repeat all of the above from different computers and devices.
Good examples! It would be nice if these were also on the verification page [0]. I would like suggest an additional approach that might be useful as well, which is using the debian-keyring. Assuming that the system which you are using to download Qubes is running a legitimate Debian (oh well), then you can easily verify Qubes' master key, as most of the ones that signed it are either in that keyring or were signed by others that are. This is what Tails instructs users to verify their key in one of their guides [1]. Thanks, -Felipe [0]: https://www.qubes-os.org/security/verifying-signatures/ [1]: https://tails.boum.org/install/expert/usb/index.en.html#verify-key -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170513210114.GH6709%40riseup.net. For more options, visit https://groups.google.com/d/optout.