On 3/26/21 6:50 PM, Franz wrote:
On Fri, Mar 26, 2021 at 9:10 AM Franz <169...@gmail.com> wrote:Hello, everything seems to work fine: gpg2 --check-signatures "Qubes OS Release 4 Signing Key" pub rsa4096 2017-03-06 [SC] 5817A43B283DE5A9181A522E1848792F9E2795E9 uid [ full ] Qubes OS Release 4 Signing Key sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key gpg: 2 good signatures gpg2 -k "Qubes OS Release" pub rsa4096 2014-11-19 [SC] C52261BE0A823221D94CA1D1CB11CA1D03FA5082 uid [ full ] Qubes OS Release 3 Signing Key pub rsa4096 2017-03-06 [SC] 5817A43B283DE5A9181A522E1848792F9E2795E9 uid [ full ] Qubes OS Release 4 Signing Key but when I try to verify get unexpected error, even after downloading two times the files, and even after trying with Fedora and Debian: gpg2 -v --verify qubes-release-4-signing-key.asc Qubes-R4.0.4-x86_64.iso gpg: verify signatures failed: Unexpected errorI found the problem: I downloaded Qubes release signing key rather than Detached PGP signature
Yes, we already have a Troubleshooting FAQ entry for this situation: https://www.qubes-os.org/security/verifying-signatures/#why-am-i-getting-verify-signatures-failed-unexpected-data(It looks like GPG may have slightly changed their wording from "unexpected data" to "Unexpected error," but it should still be close enough to point you in the right direction.)
Well frankly, IMO the name of the wrong file seems more appropriate than the right one.
No, a key is completely different from a detached signature file. It would be incorrect to call the signature file a key. It would actually be *more* confusing, since then there would be two different types of things called "keys."
How is "Detached PGP signature" supposed to be easy to understand? :-) Detached from what?
Detached from the thing being verified (in this case, the ISO) as opposed to being included (as in a clearsigned text file, such as our signed hash values). That's just what it's called in the PGP/GPG world:
https://www.gnupg.org/gph/en/manual/x135.html
Well, I am sure it is detached from something, but I lost hours for nothing and other users may simply avoid verifying the iso if it is too complicated.
That's why we provide such detailed step-by-step instructions and a troubleshooting FAQ at the bottom of the page:
https://www.qubes-os.org/security/verifying-signatures/
Once there was only one file that could be downloaded.
No, that was never the case with Qubes ISO verification. At minimum, you'd theoretically need two things: The PGP key and the clearsigned data (data + sig in a single file). However, in all of my years using and working on Qubes, I can't recall ever seeing a PGP signature included in an ISO as a single file (i.e., a "clearsigned ISO"). Not sure if it's even possible. Even if it were, it may not be desirable, since the ability to handle the ISO on its own is useful. (This is why we also include signed hash values as an alternative verification method.)
Well I understand the additional files may have some additional use
It's not like we're including extra files for the heck of it. All of the files we're providing to you are necessary for secure verification. None of them are optional in that process. Please carefully read this page again:
https://www.qubes-os.org/security/verifying-signatures/> but there are a lot of people that are not interested in that and just need an easy and fast way to get it going.
For a user who primarily seeks security, it generally doesn't make sense to unsecurely install a high-security OS, since this can easily be a self-defeating exercise. Therefore, we our main focus is on high-security verification.
Nonetheless, we also understand that different users seek varying levels of security and that some are attracted to Qubes for primary reasons other than security (e.g., control and compartmentalization, perhaps with security as a bonus). We understand that such users may appreciate another verification method that trades a small amount of security in exchange for a great amount of convenience, and there has been some exploration on this front:
https://github.com/QubesOS/qubes-issues/issues/6191
So perhaps it may be more appropriate to add to the detached file also the wording "use this file to follow the Qubes verification tutorial"
Sure, if it's possible to include extra comment text that doesn't interfere with the signature, it wouldn't hurt to point to the guide. I'll ask the team about this.
-- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/47bea22e-5341-ca81-1732-a84ff7337779%40qubes-os.org.
OpenPGP_signature
Description: OpenPGP digital signature
