Git-Mirrors
/
qubes-doc
mirror of https://github.com/QubesOS/qubes-doc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Resolve grammatical error, return to "this verification" wording (#1179)

This commit is contained in:
Dave Smith 2021-07-18 22:37:53 -05:00
parent c917f90792
commit 9bb30e2205
No known key found for this signature in database
GPG Key ID: 9D496637D81484A6
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
project-security/verifying-signatures.md
View File

@ -499,7 +499,7 @@ can be confident that these hash values came from the Qubes devs.
Whenever you use one of the [Qubes repositories](https://github.com/QubesOS),
you should use Git to verify the PGP signature in a tag on the latest commit or
on the latest commit itself (one or both may be present, but only one is
on the latest commit itself. (One or both may be present, but only one is
required.) If there is no trusted signed tag or commit on top, any commits after
the latest trusted signed tag or commit should **not** be trusted. If you come
across a repo with any unsigned commits, you should not add any of your own
@ -507,7 +507,7 @@ signed tags or commits on top of them unless you personally vouch for the
trustworthiness of the unsigned commits. Instead, ask the person who pushed the
unsigned commits to sign them.
You should always perform Git verification on a trusted local machine with
You should always perform this verification on a trusted local machine with
properly validated keys (which are available in the [Qubes Security
Pack](/security/pack/)) rather than relying on a third party, such as GitHub.
While the GitHub interface may claim that a commit has a verified signature