From a93b019bef96bdef7230d08f93bcfb4f96675b3c Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sun, 18 Aug 2019 12:53:10 -0500
Subject: [PATCH] Point out that release keys are included in Qubes
 installations

QubesOS/qubes-issues#4292
---
 project-security/verifying-signatures.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/project-security/verifying-signatures.md b/project-security/verifying-signatures.md
index 7699bc49..d625f6dd 100644
--- a/project-security/verifying-signatures.md
+++ b/project-security/verifying-signatures.md
@@ -153,6 +153,10 @@ Now, when you import any of the legitimate Qubes developer keys and Release Sign
 The filename of the Release Signing Key for your version is `qubes-release-X-signing-key.asc`, where `X` is the major version number of your Qubes release.
 There are several ways to get the Release Signing Key for your Qubes release.
 
+ - If you have access to an existing Qubes installation, the release keys are available in dom0 in `/etc/pki/rpm-gpg/`.
+   These can be copied into other VMs for further use.
+   In addition, every other VM contains the release key corresponding to that installation's release in `/etc/pki/rpm-gpg/`.
+
  - Fetch it with GPG:
 
        $ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-release-X-signing-key.asc