Fix lost referent on "this verification" (#1179)

This commit is contained in:
Dave Smith 2021-07-17 10:29:48 -05:00
parent a0b355b0c5
commit c917f90792
No known key found for this signature in database
GPG Key ID: 9D496637D81484A6

View File

@ -498,16 +498,16 @@ can be confident that these hash values came from the Qubes devs.
## How to Verify Qubes Repos ## How to Verify Qubes Repos
Whenever you use one of the [Qubes repositories](https://github.com/QubesOS), Whenever you use one of the [Qubes repositories](https://github.com/QubesOS),
you should verify the PGP signature in a tag on the latest commit or on the you should use Git to verify the PGP signature in a tag on the latest commit or
latest commit itself. (One or both may be present, but only one is required.) on the latest commit itself (one or both may be present, but only one is
If there is no trusted signed tag or commit on top, any commits after the required.) If there is no trusted signed tag or commit on top, any commits after
latest trusted signed tag or commit should **not** be trusted. If you come the latest trusted signed tag or commit should **not** be trusted. If you come
across a repo with any unsigned commits, you should not add any of your own across a repo with any unsigned commits, you should not add any of your own
signed tags or commits on top of them unless you personally vouch for the signed tags or commits on top of them unless you personally vouch for the
trustworthiness of the unsigned commits. Instead, ask the person who pushed the trustworthiness of the unsigned commits. Instead, ask the person who pushed the
unsigned commits to sign them. unsigned commits to sign them.
You should always perform this verification on a trusted local machine with You should always perform Git verification on a trusted local machine with
properly validated keys (which are available in the [Qubes Security properly validated keys (which are available in the [Qubes Security
Pack](/security/pack/)) rather than relying on a third party, such as GitHub. Pack](/security/pack/)) rather than relying on a third party, such as GitHub.
While the GitHub interface may claim that a commit has a verified signature While the GitHub interface may claim that a commit has a verified signature