Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-08-03 12:06:54 -04:00
Code Issues Projects Releases Packages Wiki Activity

Resolve grammatical error, return to "this verification" wording (#1179)

Browse source
This commit is contained in:
Dave Smith 2021-07-18 22:37:53 -05:00
parent c917f90792
commit 9bb30e2205
No known key found for this signature in database
GPG key ID: 9D496637D81484A6
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
project-security/verifying-signatures.md
View file

@ -499,7 +499,7 @@ can be confident that these hash values came from the Qubes devs.
Whenever you use one of the [Qubes repositories](https://github.com/QubesOS), Whenever you use one of the [Qubes repositories](https://github.com/QubesOS),
you should use Git to verify the PGP signature in a tag on the latest commit or you should use Git to verify the PGP signature in a tag on the latest commit or
on the latest commit itself (one or both may be present, but only one is on the latest commit itself. (One or both may be present, but only one is
required.) If there is no trusted signed tag or commit on top, any commits after required.) If there is no trusted signed tag or commit on top, any commits after
the latest trusted signed tag or commit should **not** be trusted. If you come the latest trusted signed tag or commit should **not** be trusted. If you come
across a repo with any unsigned commits, you should not add any of your own across a repo with any unsigned commits, you should not add any of your own
@ -507,7 +507,7 @@ signed tags or commits on top of them unless you personally vouch for the
trustworthiness of the unsigned commits. Instead, ask the person who pushed the trustworthiness of the unsigned commits. Instead, ask the person who pushed the
unsigned commits to sign them. unsigned commits to sign them.
You should always perform Git verification on a trusted local machine with You should always perform this verification on a trusted local machine with
properly validated keys (which are available in the [Qubes Security properly validated keys (which are available in the [Qubes Security
Pack](/security/pack/)) rather than relying on a third party, such as GitHub. Pack](/security/pack/)) rather than relying on a third party, such as GitHub.
While the GitHub interface may claim that a commit has a verified signature While the GitHub interface may claim that a commit has a verified signature