Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-25 23:39:37 -05:00
Code Issues Packages Projects Releases Wiki Activity

Improve ordering, presentation, and organization of information

Browse Source 
- Generalize "PGP key inclusion criteria" to "PGP key policies"
- Move key signing notice to new section
- Deduplicate key signing notice
- Convert bolded lines to headings
This commit is contained in:
Andrew David Wong 2021-07-24 11:29:34 -07:00
parent 9ffc1f7670
commit 0c048c58a0
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
2 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
project-security/security-pack.md
View File

@ -50,7 +50,8 @@ software](/security/verifying-signatures/#openpgp-software).
Checking connectivity... done. Checking connectivity... done.
``` ```
2. Import the included PGP keys. 2. Import the included PGP keys. See our [PGP key policies](#pgp-key-policies)
for important information about these keys.
```shell_session ```shell_session
$ gpg --import qubes-secpack/keys/*/* $ gpg --import qubes-secpack/keys/*/*
@ -85,11 +86,6 @@ software](/security/verifying-signatures/#openpgp-software).
3. [Authenticate and set the trust level of the Qubes Master Signing Key 3. [Authenticate and set the trust level of the Qubes Master Signing Key
(QMSK).](/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key) (QMSK).](/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
**Note:** Only some keys in the qubes-secpack are signed by the QMSK. Keys
that are not signed directly by the QMSK are still signed indirectly by
virtue of being included in the qubes-secpack, which is itself signed (via
Git tags and/or commits) by keys that are in turn signed by the QMSK.
4. Verify signed Git tags. 4. Verify signed Git tags.
```shell_session ```shell_session
@ -129,16 +125,23 @@ signatures) are provided to ensure that the system is robust (e.g., against a
potential failure in Git tag-based verification) and to give users more options potential failure in Git tag-based verification) and to give users more options
to verify the files. to verify the files.
## PGP key inclusion criteria ## PGP key policies
The qubes-secpack generally includes only those PGP keys used to sign some kind - **Inclusion criteria.** The qubes-secpack generally includes only those PGP
of official project asset, such as Qubes release ISOs (release signing keys), keys used to sign some kind of official project asset, such as Qubes release
Git tags and commits (code signing, doc signing, and security team keys), and ISOs (release signing keys), Git tags and commits (code signing, doc signing,
the qubes-secpack's own files and Git tags (security team keys again). This and security team keys), and the qubes-secpack's own files and Git tags
means that email keys are generally not included, even for official project (security team keys again). This means that email keys are generally not
email addresses. There is one exception to this rule: the official [Qubes included, even for official project email addresses. There is one exception
security team](/security/#qubes-security-team) email address, which is used to to this rule: the official [Qubes security
report security vulnerabilities in Qubes OS to our security team. team](/security/#qubes-security-team) email address, which is used to report
security vulnerabilities in Qubes OS to our security team.
- **Key signing (certification).** Only some keys in the qubes-secpack are
signed by the QMSK. Keys that are not signed directly by the QMSK are still
signed indirectly by virtue of being included in the qubes-secpack, which is
itself signed (via Git tags and/or commits) by keys that are in turn signed
by the QMSK.
## History and rationale ## History and rationale

19
project-security/verifying-signatures.md
View File

@ -555,15 +555,12 @@ FAQ](#troubleshooting-faq) below.
Before we proceed, you must first complete the following prerequisite steps: Before we proceed, you must first complete the following prerequisite steps:
1. [Install OpenPGP software.](#openpgp-software) 1. [Install OpenPGP software.](#openpgp-software)
2. [Import and authenticate the Qubes Master Signing Key.](#how-to-import-and-authenticate-the-qubes-master-signing-key) 2. [Import and authenticate the Qubes Master Signing
3. [Import and authenticate keys from the Qubes security pack (qubes-secpack).](/security/pack/) Key.](#how-to-import-and-authenticate-the-qubes-master-signing-key)
3. [Import and authenticate keys from the Qubes security pack
**Note:** Only some keys in the qubes-secpack are signed by the QMSK. Keys (qubes-secpack).](/security/pack/) Please see our [PGP key
that are not signed directly by the QMSK are still signed indirectly by policies](/security/pack/#pgp-key-policies) for important information about
virtue of being included in the qubes-secpack, which is itself signed (via these keys.
Git tags and/or commits) by keys that are in turn signed by the QMSK. If a
key is not signed directly by the QMSK, you may need to set its trust level
directly.
Whenever you use one of the [Qubes repositories](https://github.com/QubesOS), Whenever you use one of the [Qubes repositories](https://github.com/QubesOS),
you should use Git to verify the PGP signature in a tag on the latest commit or you should use Git to verify the PGP signature in a tag on the latest commit or
@ -586,7 +583,7 @@ all such conditions hold, you're much better off verifying signatures yourself.
(Also see: [distrusting the (Also see: [distrusting the
infrastructure](/faq/#what-does-it-mean-to-distrust-the-infrastructure).) infrastructure](/faq/#what-does-it-mean-to-distrust-the-infrastructure).)
**To verify a signature on a Git tag:** ### How to verify a signature on a Git tag
```shell_session ```shell_session
$ git tag -v <tag name> $ git tag -v <tag name>
@ -598,7 +595,7 @@ or
$ git verify-tag <tag name> $ git verify-tag <tag name>
``` ```
**To verify a signature on a Git commit:** ### How to verify a signature on a Git commit
```shell_session ```shell_session
$ git log --show-signature <commit ID> $ git log --show-signature <commit ID>