From c900e1a11b2f511ba23db7f3c7b0cdc00795f3ca Mon Sep 17 00:00:00 2001 From: Vincent Penquerc'h Date: Sun, 20 Apr 2014 19:56:10 +0000 Subject: [PATCH] VerifyingSignatures changed commands to actually verify the iso and signing key --- VerifyingSignatures.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/VerifyingSignatures.md b/VerifyingSignatures.md index 3a4af442..d547d749 100644 --- a/VerifyingSignatures.md +++ b/VerifyingSignatures.md @@ -69,6 +69,26 @@ You can also download all the currently used developers' keys (and also a copy o The developer keys are set to be valid for 1 year only, while the Qubes Master Signing Key has no expiration date. This latter key was generated and is kept only within a dedicated, air-gapped "vault" machine, and the private portion will (hopefully) never leave this isolated machine. +You can now verify the ISO matches its signature: + +``` {.wiki} +$ gpg --verify Qubes-R2-rc1-x86_64-DVD.iso{.asc,} +gpg: Signature made Sun 20 Apr 2014 10:06:13 BST using RSA key ID 0A40E458 +gpg: Good signature from "Qubes OS Release 2 Signing Key" +``` + +The key used to sign this ISO should be signed by the Qubes master key: + +``` {.wiki} +$ gpg --list-sig 0A40E458 +pub 4096R/0A40E458 2012-11-15 +uid Qubes OS Release 2 Signing Key +sig 26CA2CD7 2013-02-26 [User ID not found] +sig C55BCFE3 2014-02-20 [User ID not found] +sig 36879494 2012-11-15 Qubes Master Signing Key +sig 3 0A40E458 2012-11-15 Qubes OS Release 2 Signing Key +``` + Having problems verifying the ISO? See this thread: [​https://groups.google.com/group/qubes-devel/browse\_thread/thread/4bdec1cd19509b38/9f8e219c41e1b232](https://groups.google.com/group/qubes-devel/browse_thread/thread/4bdec1cd19509b38/9f8e219c41e1b232)