Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-01-26 06:26:18 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of git://github.com/illikainen/qubes-doc into illikainen-master

Browse Source
This commit is contained in:
Andrew David Wong 2020-07-04 07:47:11 -05:00
commit 41719d8ebe
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
project-security/verifying-signatures.md
View File

@ -169,15 +169,22 @@ There are several ways to get the Release Signing Key for your Qubes release.
The Release Signing Key should be signed by the Qubes Master Signing Key:
$ gpg2 --list-sigs "Qubes OS Release X Signing Key"
$ gpg2 --check-signatures "Qubes OS Release X Signing Key"
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release X Signing Key
sig 3 1848792F9E2795E9 2017-03-06 Qubes OS Release X Signing Key
sig DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release X Signing Key
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
gpg: 2 good signatures
This is just an example, so the output you receive will not look exactly the same.
What matters is that the last line shows that this key is signed by the Qubes Master Signing Key, which verifies the authenticity of the Release Signing Key.
What matters is the line that shows that this key is signed by the Qubes Master
Signing Key with a `sig!` prefix. This verifies the authenticity of the
Release Signing Key. Note that the `!` flag after the `sig` tag is important
because it means that the key signature is valid. A `sig-` prefix would
indicate a bad signature and `sig%` would mean that gpg encountered an error
while verifying the signature.
It is not necessary to independently verify the authenticity of the Release Signing Key.