mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-25 07:19:33 -05:00
Fix lost referent on "this verification" (#1179)
This commit is contained in:
parent
a0b355b0c5
commit
c917f90792
@ -498,16 +498,16 @@ can be confident that these hash values came from the Qubes devs.
|
|||||||
## How to Verify Qubes Repos
|
## How to Verify Qubes Repos
|
||||||
|
|
||||||
Whenever you use one of the [Qubes repositories](https://github.com/QubesOS),
|
Whenever you use one of the [Qubes repositories](https://github.com/QubesOS),
|
||||||
you should verify the PGP signature in a tag on the latest commit or on the
|
you should use Git to verify the PGP signature in a tag on the latest commit or
|
||||||
latest commit itself. (One or both may be present, but only one is required.)
|
on the latest commit itself (one or both may be present, but only one is
|
||||||
If there is no trusted signed tag or commit on top, any commits after the
|
required.) If there is no trusted signed tag or commit on top, any commits after
|
||||||
latest trusted signed tag or commit should **not** be trusted. If you come
|
the latest trusted signed tag or commit should **not** be trusted. If you come
|
||||||
across a repo with any unsigned commits, you should not add any of your own
|
across a repo with any unsigned commits, you should not add any of your own
|
||||||
signed tags or commits on top of them unless you personally vouch for the
|
signed tags or commits on top of them unless you personally vouch for the
|
||||||
trustworthiness of the unsigned commits. Instead, ask the person who pushed the
|
trustworthiness of the unsigned commits. Instead, ask the person who pushed the
|
||||||
unsigned commits to sign them.
|
unsigned commits to sign them.
|
||||||
|
|
||||||
You should always perform this verification on a trusted local machine with
|
You should always perform Git verification on a trusted local machine with
|
||||||
properly validated keys (which are available in the [Qubes Security
|
properly validated keys (which are available in the [Qubes Security
|
||||||
Pack](/security/pack/)) rather than relying on a third party, such as GitHub.
|
Pack](/security/pack/)) rather than relying on a third party, such as GitHub.
|
||||||
While the GitHub interface may claim that a commit has a verified signature
|
While the GitHub interface may claim that a commit has a verified signature
|
||||||
|
Loading…
Reference in New Issue
Block a user