Git-Mirrors
/
qubes-doc
mirror of https://github.com/QubesOS/qubes-doc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move 'properly validated keys' guidance before git verification... 

...in the "How to Verify Qubes Repos" section, since you must have
properly validated keys before being able to perform a successful
`git verify-tag` or `git verify-commit`.
This commit is contained in:
Dave Smith 2021-07-16 21:02:37 -05:00
parent 4de71b367d
commit a0b355b0c5
No known key found for this signature in database
GPG Key ID: 9D496637D81484A6
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
project-security/verifying-signatures.md
View File

@ -507,6 +507,19 @@ signed tags or commits on top of them unless you personally vouch for the
trustworthiness of the unsigned commits. Instead, ask the person who pushed the
unsigned commits to sign them.
You should always perform this verification on a trusted local machine with
properly validated keys (which are available in the [Qubes Security
Pack](/security/pack/)) rather than relying on a third party, such as GitHub.
While the GitHub interface may claim that a commit has a verified signature
from a member of the Qubes team, this is only trustworthy if GitHub has
performed the signature check correctly, the account identity is authentic, the
user's key has not been replaced by an admin, GitHub's servers have not been
compromised, and so on. Since there's no way for you to be certain that all
such conditions hold, you're much better off verifying signatures yourself.
Also see: [Distrusting the
Infrastructure](/faq/#what-does-it-mean-to-distrust-the-infrastructure)
To verify a signature on a Git tag:
```shell_session
@ -531,19 +544,6 @@ or
$ git verify-commit <commit ID>
```
You should always perform this verification on a trusted local machine with
properly validated keys (which are available in the [Qubes Security
Pack](/security/pack/)) rather than relying on a third party, such as GitHub.
While the GitHub interface may claim that a commit has a verified signature
from a member of the Qubes team, this is only trustworthy if GitHub has
performed the signature check correctly, the account identity is authentic, the
user's key has not been replaced by an admin, GitHub's servers have not been
compromised, and so on. Since there's no way for you to be certain that all
such conditions hold, you're much better off verifying signatures yourself.
Also see: [Distrusting the
Infrastructure](/faq/#what-does-it-mean-to-distrust-the-infrastructure)
## Troubleshooting FAQ
### Why am I getting "Can't check signature: public key not found"?