mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-29 09:16:22 -05:00
Add disclaimer and clarifications about signatures
Wrote a paragraph or two about verifying the QubesOS ISO signature and wrote a disclaimer that Qubes does not automatically verify external downloads not coming from its own repositories.
This commit is contained in:
parent
824618d805
commit
7569cf3b95
@ -18,7 +18,13 @@ Download Verification
|
|||||||
|
|
||||||
**Verify the authenticity and integrity of your downloads, [particularly the Qubes iso](/security/verifying-signatures/).**
|
**Verify the authenticity and integrity of your downloads, [particularly the Qubes iso](/security/verifying-signatures/).**
|
||||||
|
|
||||||
The standard program installation command for Fedora and Qubes repositories
|
The internet is always a dangerous place. While your connection to the Qubes website and download mirrors is encrypted, meaning that your downloads from here can't be modified by a third party en route, there is always the chance that these websites themselves have been compromised.
|
||||||
|
Signature verification allows us to validate for ourselves that these files were the ones authored and signed by their creators (in this case the Qubes development team).
|
||||||
|
|
||||||
|
Because it's so easy for a hacker who manages to tamper with the downloaded iso files this way to patch in malware, it is of the utmost importance that you **verify the signature of the Qubes iso** you use to install Qubes.
|
||||||
|
See the page on [Verifying Signatures](https://www.qubes-os.org/security/verifying-signatures/) for more information and a tutorial on how to accomplish this.
|
||||||
|
|
||||||
|
Once you have Qubes installed, the standard program installation command for Fedora and Qubes repositories
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
sudo yum install <program>
|
sudo yum install <program>
|
||||||
@ -38,6 +44,9 @@ Even then, you might want to consider new repositories to be **less** secure and
|
|||||||
|
|
||||||
If you **need** to download programs that cannot be verified, then it is much less dangerous to install them in a **cloned template or a standalone VM**.
|
If you **need** to download programs that cannot be verified, then it is much less dangerous to install them in a **cloned template or a standalone VM**.
|
||||||
|
|
||||||
|
Remember: Qubes cannot automatically verify the signature of files that come from other sources like your browser, torrenting client, or home-made tofu recipe downloader. If the providers of these downloads provide keys for you to verify the signatures of their downloads, do it!
|
||||||
|
|
||||||
|
|
||||||
Observing Security Contexts
|
Observing Security Contexts
|
||||||
---------------------------
|
---------------------------
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user