On Thursday, March 29, 2018 at 10:58:56 AM UTC-4, Chris Laprise wrote: > On 03/29/2018 10:10 AM, Steven Walker wrote: > > I am pretty much new to Qubes. Can anybody give me simple instructions on > > how to verify my download. I have the iso asc, the digests file, and the > > signing key asc. > > > > Can someone help me through this? > > > > Thank you, > > > > Steven > > > > > Here is a condensed howto which avoids some issues with the Qubes doc > and gpg itself: > https://www.qubes-os.org/security/verifying-signatures/ > > > 1. Get the Qubes master key, preferably from more than one source or > network channel so you can check they are all identical. > > https://keys.qubes-os.org/keys/qubes-master-signing-key.asc > > > 2. Get the signing key and iso files, as you already have. > > > 3. Import the two keys: > > $ gpg2 --import qubes-master-signing-key.asc > $ gpg2 --import qubes-release-4-signing-key.asc > > > 3a. If you wish, additional verification of the Master key: > > $ gpg2 --fingerprint > > > pub rsa4096 2010-04-01 [SC] > > 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 > > uid [ unknown] Qubes Master Signing Key > > Then search for the Qubes master key fingerprint on a Google or a > keyserver, or view the 'verifying-signatures' doc linked above. Then > compare that hexadecimal fingerprint and make sure whats in your shell > matches what you see in the browser. > > > 4. Verify the release key: > > $ gpg2 --check-sigs > > The output should look like this: > > > pub rsa4096 2017-03-06 [SC] > > 5817A43B283DE5A9181A522E1848792F9E2795E9 > > uid [ unknown] Qubes OS Release 4 Signing Key > > sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key > > sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key > > You should see the Release 4 key in "uid" and nested under it the Master > key. The Master key line must begin with "sig!" including the > exclamation mark! If the exclamation is not present then the key is bad. > > > 5. Verify the iso file: > > $ gpg2 --verify Qubes-R4.0-x86_64.iso.asc Qubes-R4.0-x86_64.iso > > You should see a message "Good signature from "Qubes OS Release 4 > Signing Key" > > > Hope this helps! > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
I just imported the two keys. The version 4 signing key came back with "no ultimately trusted keys found". Is that an issue? I am running it through budgie ubuntu. I currently have no qubes system installed. Am I doing this right? I installed gpg2 in ubuntu to run this commands through terminal Thanks, Steve -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eeabfe53-15db-4dc2-a4a7-726ee94daa79%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
