Git-Mirrors
/
qubes-doc
mirror of https://github.com/QubesOS/qubes-doc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve ordering, presentation, and organization of information 

- Generalize "PGP key inclusion criteria" to "PGP key policies"
- Move key signing notice to new section
- Deduplicate key signing notice
- Convert bolded lines to headings
This commit is contained in:
Andrew David Wong 2021-07-24 11:29:34 -07:00
parent 9ffc1f7670
commit 0c048c58a0
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
2 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
project-security/security-pack.md
View File

@ -50,7 +50,8 @@ software](/security/verifying-signatures/#openpgp-software).
Checking connectivity... done.
```
2. Import the included PGP keys.
2. Import the included PGP keys. See our [PGP key policies](#pgp-key-policies)
for important information about these keys.
```shell_session
$ gpg --import qubes-secpack/keys/*/*
@ -85,11 +86,6 @@ software](/security/verifying-signatures/#openpgp-software).
3. [Authenticate and set the trust level of the Qubes Master Signing Key
(QMSK).](/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
**Note:** Only some keys in the qubes-secpack are signed by the QMSK. Keys
that are not signed directly by the QMSK are still signed indirectly by
virtue of being included in the qubes-secpack, which is itself signed (via
Git tags and/or commits) by keys that are in turn signed by the QMSK.
4. Verify signed Git tags.
```shell_session
@ -129,16 +125,23 @@ signatures) are provided to ensure that the system is robust (e.g., against a
potential failure in Git tag-based verification) and to give users more options
to verify the files.
## PGP key inclusion criteria
## PGP key policies
The qubes-secpack generally includes only those PGP keys used to sign some kind
of official project asset, such as Qubes release ISOs (release signing keys),
Git tags and commits (code signing, doc signing, and security team keys), and
the qubes-secpack's own files and Git tags (security team keys again). This
means that email keys are generally not included, even for official project
email addresses. There is one exception to this rule: the official [Qubes
security team](/security/#qubes-security-team) email address, which is used to
report security vulnerabilities in Qubes OS to our security team.
- **Inclusion criteria.** The qubes-secpack generally includes only those PGP
keys used to sign some kind of official project asset, such as Qubes release
ISOs (release signing keys), Git tags and commits (code signing, doc signing,
and security team keys), and the qubes-secpack's own files and Git tags
(security team keys again). This means that email keys are generally not
included, even for official project email addresses. There is one exception
to this rule: the official [Qubes security
team](/security/#qubes-security-team) email address, which is used to report
security vulnerabilities in Qubes OS to our security team.
- **Key signing (certification).** Only some keys in the qubes-secpack are
signed by the QMSK. Keys that are not signed directly by the QMSK are still
signed indirectly by virtue of being included in the qubes-secpack, which is
itself signed (via Git tags and/or commits) by keys that are in turn signed
by the QMSK.
## History and rationale

19
project-security/verifying-signatures.md
View File

@ -555,15 +555,12 @@ FAQ](#troubleshooting-faq) below.
Before we proceed, you must first complete the following prerequisite steps:
1. [Install OpenPGP software.](#openpgp-software)
2. [Import and authenticate the Qubes Master Signing Key.](#how-to-import-and-authenticate-the-qubes-master-signing-key)
3. [Import and authenticate keys from the Qubes security pack (qubes-secpack).](/security/pack/)
**Note:** Only some keys in the qubes-secpack are signed by the QMSK. Keys
that are not signed directly by the QMSK are still signed indirectly by
virtue of being included in the qubes-secpack, which is itself signed (via
Git tags and/or commits) by keys that are in turn signed by the QMSK. If a
key is not signed directly by the QMSK, you may need to set its trust level
directly.
2. [Import and authenticate the Qubes Master Signing
Key.](#how-to-import-and-authenticate-the-qubes-master-signing-key)
3. [Import and authenticate keys from the Qubes security pack
(qubes-secpack).](/security/pack/) Please see our [PGP key
policies](/security/pack/#pgp-key-policies) for important information about
these keys.
Whenever you use one of the [Qubes repositories](https://github.com/QubesOS),
you should use Git to verify the PGP signature in a tag on the latest commit or
@ -586,7 +583,7 @@ all such conditions hold, you're much better off verifying signatures yourself.
(Also see: [distrusting the
infrastructure](/faq/#what-does-it-mean-to-distrust-the-infrastructure).)
**To verify a signature on a Git tag:**
### How to verify a signature on a Git tag
```shell_session
$ git tag -v <tag name>
@ -598,7 +595,7 @@ or
$ git verify-tag <tag name>
```
**To verify a signature on a Git commit:**
### How to verify a signature on a Git commit
```shell_session
$ git log --show-signature <commit ID>