From 36ae858cccd770ad0480bd8fed356d0aaacdfd93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Wed, 30 Apr 2014 13:47:25 +0000
Subject: [PATCH] QubesBuilder changed

add key management info
---
 QubesBuilder.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/QubesBuilder.md b/QubesBuilder.md
index 4f0c3d03..f004b323 100644
--- a/QubesBuilder.md
+++ b/QubesBuilder.md
@@ -180,3 +180,17 @@ There is one issue with above experimental version: new Xorg server have differe
 
 5.  Restart login manager (now it will start and allow you to login graphically): initctl restart prefdm
 
+Code verification keys management
+=================================
+
+[QubesBuilder](/wiki/QubesBuilder) by default verify signed tags on every downloaded code. Public keys used for that are stored in `keyrings/git`. By default Qubes developers keys are imported automatically, but if you need some additional keys (for example your own), you can add it using:
+
+``` {.wiki}
+GNUPGHOME=$PWD/keyrings/git gpg --import /path/to/key.asc
+GNUPGHOME=$PWD/keyrings/git gpg --edit-key ID_OF_JUST_IMPORTED_KEY
+# here use "trust" command to set key fully or ultimately trusted - only those keys are accepted by QubesBulder
+```
+
+All Qubes developers keys are signed by Qubes Master Signing Key (which is set as ultimately trusted key), so are trusted automatically.
+
+If you are the owner of Master key and want to revoke such signature, use `revsig` gpg key edit command and update the key in qubes-developers-keys.asc - now the key will be no longer trusted (unless manually set such).