Verifying signatures

It's paramount to verify your install media before installing - man in the middle attacks (even over the public Internet) can happen and can result in your install media being compromised.

As a second source for verification, the Qubes master signing key is

pub   4096R/36879494 2010-04-01
      Key fingerprint = 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
uid   Qubes Master Signing Key

See the qubes documentation on verifying signatures here for a step by step guide. That guide is slightly dated, and things like GPG output has slightly changed over time.

Create a new Qube

Launch a new disposable Qube. This tutorial is using a Debian Stretch disposable qube. A disposable Qube is best as it is the 'cleanest'.

Download the signing key

Run

gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc

With expected output

gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'

gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported
gpg: Total number processed: 1
gpg:               imported: 1

Verify the signing key

Run

gpg --edit-key 0x36879494

With expected output

gpg --edit-key 0x36879494
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/DDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC  
     trust: unknown       validity: unknown
[ unknown] (1). Qubes Master Signing Key

gpg> fpr
pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
 Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

gpg> trust
pub  rsa4096/DDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC  
     trust: unknown       validity: unknown
[ unknown] (1). Qubes Master Signing Key

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa4096/DDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC  
     trust: ultimate      validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> q

Pull down the qubes 4 signing key

Run

gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc

Expected output

gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc'
gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported
gpg: Total number processed: 1
gpg:               imported: 1

Verify the ISO

Run

gpg -v --verify Qubes-R4.0.1-rc1-x86_64.iso.asc Qubes-R4.0.1-rc1-x86_64.iso

with expected output

gpg: Signature made Sun 04 Nov 2018 12:30:48 PM UTC
gpg:                using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: checking the trustdb
gpg: 1 key processed (0 validity counts cleared)
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096

If you see

gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]

Then the signature is good.

Security/VerifyingSignatures (last edited 2018-12-08 13:38:57 by admin)