mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-25 07:19:33 -05:00
Clarify explanation of comparing fingerprints
This commit is contained in:
parent
39f19da554
commit
c3b7711fb3
@ -171,26 +171,61 @@ Fedora, `dnf install distribution-gpg-keys` will get you the QMSK along with
|
|||||||
several other Qubes keys. On Debian, your keyring may already contain the
|
several other Qubes keys. On Debian, your keyring may already contain the
|
||||||
necessary keys.
|
necessary keys.
|
||||||
|
|
||||||
Perhaps the most common route is to rely on the key's fingerprint. Every PGP
|
Perhaps the most common route is to rely on the key's fingerprint, which is a
|
||||||
key has a fingerprint that uniquely identifies it among all PGP keys (viewable
|
string of 40 alphanumeric characters, like this:
|
||||||
with `gpg2 --fingerprint <KEY_ID>`). Therefore, if you know the genuine QMSK
|
|
||||||
|
```
|
||||||
|
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
|
||||||
|
```
|
||||||
|
|
||||||
|
Every PGP key has one of these fingerprints, which uniquely identifies it among
|
||||||
|
all PGP keys. (On the command line, you can view a key's fingerprint with the
|
||||||
|
`gpg2 --fingerprint <KEY_ID>` command.) Therefore, if you know the genuine QMSK
|
||||||
fingerprint, then you always have an easy way to confirm whether any purported
|
fingerprint, then you always have an easy way to confirm whether any purported
|
||||||
copy of it is authentic, simply by comparing the fingerprints.
|
copy of it is authentic, simply by comparing the fingerprints.
|
||||||
|
|
||||||
For example, here is the QMSK fingerprint:
|
But how do you know which fingerprint is the real one? After all, [this website
|
||||||
|
|
||||||
```shell_session
|
|
||||||
pub 4096R/36879494 2010-04-01
|
|
||||||
Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
|
|
||||||
uid Qubes Master Signing Key
|
|
||||||
```
|
|
||||||
|
|
||||||
But how do you know that this is the real fingerprint? After all, [this website
|
|
||||||
could be compromised](/faq/#should-i-trust-this-website), so the fingerprint
|
could be compromised](/faq/#should-i-trust-this-website), so the fingerprint
|
||||||
you see here may not be genuine. That's why we strongly suggest obtaining the
|
you see here may not be genuine. That's why we strongly suggest obtaining the
|
||||||
fingerprint from *multiple independent sources in several different ways*.
|
fingerprint from *multiple independent sources in several different ways*, then
|
||||||
|
comparing the strings of letters and numbers to make sure they match.
|
||||||
|
|
||||||
Here are some ideas for how to do that:
|
When it comes to PGP fingerprints, spaces and capitalization don't matter. In
|
||||||
|
other words, all of these fingerprints are considered the same:
|
||||||
|
|
||||||
|
```
|
||||||
|
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
|
||||||
|
427f 11fd 0faa 4b08 0123 f01c ddfa 1a3e 3687 9494
|
||||||
|
427F11FD0FAA4B080123F01CDDFA1A3E36879494
|
||||||
|
427f11fd0faa4b080123f01cddfa1a3e36879494
|
||||||
|
```
|
||||||
|
|
||||||
|
Instead, what matters is that *all* the characters are present in *exactly* the
|
||||||
|
same order. If even one character is different, the fingerprints do not match.
|
||||||
|
Even if two fingerprints have all the same characters, if any of those
|
||||||
|
characters are in a different order, sequence or position, then the
|
||||||
|
fingerprints do not match.
|
||||||
|
|
||||||
|
Note: You may sometimes see the entire fingerprint prefixed with `0x`, as in:
|
||||||
|
|
||||||
|
```
|
||||||
|
0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
|
||||||
|
0x427f11fd0faa4b080123f01cddfa1a3e36879494
|
||||||
|
```
|
||||||
|
|
||||||
|
The `0x` prefix is sometimes used to indicate that the string following it is a
|
||||||
|
hexadecimal value, and some PGP-related tools may require this prefix. For the
|
||||||
|
purpose of comparing fingerprints as described here, you may safely ignore the
|
||||||
|
`0x` prefix, as it is not part of the fingerprint. As long as the 40-character
|
||||||
|
string after the `0x` matches exactly, the fingerprint is the same.
|
||||||
|
|
||||||
|
The general idea of "comparing fingerprints" is to go out into the world
|
||||||
|
(whether digitally, physically, or both) and find other 40-character strings
|
||||||
|
purporting to be the QMSK fingerprint, then compare them to your own purported
|
||||||
|
QMSK fingerprint to ensure that the sequence of alphanumeric characters is
|
||||||
|
exactly the same (again, regardless of spaces or capitalization). If any of the
|
||||||
|
characters do not match or are not in the same order, then at least one of the
|
||||||
|
fingerprints is a forgery. Here are some ideas to get you started:
|
||||||
|
|
||||||
- Check the fingerprint on various websites (e.g., [mailing
|
- Check the fingerprint on various websites (e.g., [mailing
|
||||||
lists](https://groups.google.com/g/qubes-devel/c/RqR9WPxICwg/m/kaQwknZPDHkJ),
|
lists](https://groups.google.com/g/qubes-devel/c/RqR9WPxICwg/m/kaQwknZPDHkJ),
|
||||||
@ -204,10 +239,10 @@ Here are some ideas for how to do that:
|
|||||||
talk](https://hyperelliptic.org/PSC/slides/psc2015_qubesos.pdf), on a
|
talk](https://hyperelliptic.org/PSC/slides/psc2015_qubesos.pdf), on a
|
||||||
[T-shirt](https://twitter.com/legind/status/813847907858337793/photo/2), or
|
[T-shirt](https://twitter.com/legind/status/813847907858337793/photo/2), or
|
||||||
in the [recording of a presentation](https://youtu.be/S0TVw7U3MkE?t=2563)).
|
in the [recording of a presentation](https://youtu.be/S0TVw7U3MkE?t=2563)).
|
||||||
- Download old Qubes ISOs from different sources and check the included Qubes
|
|
||||||
Master Signing Key.
|
|
||||||
- Ask people to post the fingerprint on various mailing lists, forums, and chat
|
- Ask people to post the fingerprint on various mailing lists, forums, and chat
|
||||||
rooms.
|
rooms.
|
||||||
|
- Download old Qubes ISOs from different sources and check the included Qubes
|
||||||
|
Master Signing Key.
|
||||||
- Repeat the above over Tor.
|
- Repeat the above over Tor.
|
||||||
- Repeat the above over various VPNs and proxy servers.
|
- Repeat the above over various VPNs and proxy servers.
|
||||||
- Repeat the above on different networks (work, school, internet cafe, etc.).
|
- Repeat the above on different networks (work, school, internet cafe, etc.).
|
||||||
@ -215,11 +250,11 @@ Here are some ideas for how to do that:
|
|||||||
confirm the fingerprint.
|
confirm the fingerprint.
|
||||||
- Repeat the above from different computers and devices.
|
- Repeat the above from different computers and devices.
|
||||||
|
|
||||||
Once you've obtained the fingerprint from enough independent sources in enough
|
Once you've observed enough matching fingerprints from enough independent
|
||||||
different ways that you feel confident that you know the genuine fingerprint,
|
sources in enough different ways that you feel confident that you have the
|
||||||
keep it in a safe place. Every time you need to check whether a key claiming to
|
genuine fingerprint, keep it in a safe place. Every time you need to check
|
||||||
be the QMSK is authentic, compare that key's fingerprint to your trusted copy
|
whether a key claiming to be the QMSK is authentic, compare that key's
|
||||||
and confirm they match.
|
fingerprint to your trusted copy and confirm they match.
|
||||||
|
|
||||||
Now that you've imported the authentic QMSK, set its trust level to "ultimate"
|
Now that you've imported the authentic QMSK, set its trust level to "ultimate"
|
||||||
so that it can be used to automatically verify all the keys signed by the QMSK
|
so that it can be used to automatically verify all the keys signed by the QMSK
|
||||||
|
Loading…
Reference in New Issue
Block a user