From a0b355b0c549b98be3cfa8aea790557a129ef6e8 Mon Sep 17 00:00:00 2001 From: Dave Smith Date: Fri, 16 Jul 2021 21:02:37 -0500 Subject: [PATCH 1/3] Move 'properly validated keys' guidance before git verification... ...in the "How to Verify Qubes Repos" section, since you must have properly validated keys before being able to perform a successful `git verify-tag` or `git verify-commit`. --- project-security/verifying-signatures.md | 26 ++++++++++++------------ 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/project-security/verifying-signatures.md b/project-security/verifying-signatures.md index 9625a572..e54b4c28 100644 --- a/project-security/verifying-signatures.md +++ b/project-security/verifying-signatures.md @@ -507,6 +507,19 @@ signed tags or commits on top of them unless you personally vouch for the trustworthiness of the unsigned commits. Instead, ask the person who pushed the unsigned commits to sign them. +You should always perform this verification on a trusted local machine with +properly validated keys (which are available in the [Qubes Security +Pack](/security/pack/)) rather than relying on a third party, such as GitHub. +While the GitHub interface may claim that a commit has a verified signature +from a member of the Qubes team, this is only trustworthy if GitHub has +performed the signature check correctly, the account identity is authentic, the +user's key has not been replaced by an admin, GitHub's servers have not been +compromised, and so on. Since there's no way for you to be certain that all +such conditions hold, you're much better off verifying signatures yourself. + +Also see: [Distrusting the +Infrastructure](/faq/#what-does-it-mean-to-distrust-the-infrastructure) + To verify a signature on a Git tag: ```shell_session @@ -531,19 +544,6 @@ or $ git verify-commit ``` -You should always perform this verification on a trusted local machine with -properly validated keys (which are available in the [Qubes Security -Pack](/security/pack/)) rather than relying on a third party, such as GitHub. -While the GitHub interface may claim that a commit has a verified signature -from a member of the Qubes team, this is only trustworthy if GitHub has -performed the signature check correctly, the account identity is authentic, the -user's key has not been replaced by an admin, GitHub's servers have not been -compromised, and so on. Since there's no way for you to be certain that all -such conditions hold, you're much better off verifying signatures yourself. - -Also see: [Distrusting the -Infrastructure](/faq/#what-does-it-mean-to-distrust-the-infrastructure) - ## Troubleshooting FAQ ### Why am I getting "Can't check signature: public key not found"? From c917f907922a3b583cb4a8c94fd96e7d17c43e0c Mon Sep 17 00:00:00 2001 From: Dave Smith Date: Sat, 17 Jul 2021 10:29:48 -0500 Subject: [PATCH 2/3] Fix lost referent on "this verification" (#1179) --- project-security/verifying-signatures.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/project-security/verifying-signatures.md b/project-security/verifying-signatures.md index e54b4c28..060a6cfc 100644 --- a/project-security/verifying-signatures.md +++ b/project-security/verifying-signatures.md @@ -498,16 +498,16 @@ can be confident that these hash values came from the Qubes devs. ## How to Verify Qubes Repos Whenever you use one of the [Qubes repositories](https://github.com/QubesOS), -you should verify the PGP signature in a tag on the latest commit or on the -latest commit itself. (One or both may be present, but only one is required.) -If there is no trusted signed tag or commit on top, any commits after the -latest trusted signed tag or commit should **not** be trusted. If you come +you should use Git to verify the PGP signature in a tag on the latest commit or +on the latest commit itself (one or both may be present, but only one is +required.) If there is no trusted signed tag or commit on top, any commits after +the latest trusted signed tag or commit should **not** be trusted. If you come across a repo with any unsigned commits, you should not add any of your own signed tags or commits on top of them unless you personally vouch for the trustworthiness of the unsigned commits. Instead, ask the person who pushed the unsigned commits to sign them. -You should always perform this verification on a trusted local machine with +You should always perform Git verification on a trusted local machine with properly validated keys (which are available in the [Qubes Security Pack](/security/pack/)) rather than relying on a third party, such as GitHub. While the GitHub interface may claim that a commit has a verified signature From 9bb30e2205628a75abb7e972e0698c296520469b Mon Sep 17 00:00:00 2001 From: Dave Smith Date: Sun, 18 Jul 2021 22:37:53 -0500 Subject: [PATCH 3/3] Resolve grammatical error, return to "this verification" wording (#1179) --- project-security/verifying-signatures.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/project-security/verifying-signatures.md b/project-security/verifying-signatures.md index 060a6cfc..635b75c3 100644 --- a/project-security/verifying-signatures.md +++ b/project-security/verifying-signatures.md @@ -499,7 +499,7 @@ can be confident that these hash values came from the Qubes devs. Whenever you use one of the [Qubes repositories](https://github.com/QubesOS), you should use Git to verify the PGP signature in a tag on the latest commit or -on the latest commit itself (one or both may be present, but only one is +on the latest commit itself. (One or both may be present, but only one is required.) If there is no trusted signed tag or commit on top, any commits after the latest trusted signed tag or commit should **not** be trusted. If you come across a repo with any unsigned commits, you should not add any of your own @@ -507,7 +507,7 @@ signed tags or commits on top of them unless you personally vouch for the trustworthiness of the unsigned commits. Instead, ask the person who pushed the unsigned commits to sign them. -You should always perform Git verification on a trusted local machine with +You should always perform this verification on a trusted local machine with properly validated keys (which are available in the [Qubes Security Pack](/security/pack/)) rather than relying on a third party, such as GitHub. While the GitHub interface may claim that a commit has a verified signature