mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-25 07:19:33 -05:00
Fix lost referent on "this verification" (#1179)
This commit is contained in:
parent
a0b355b0c5
commit
c917f90792
@ -498,16 +498,16 @@ can be confident that these hash values came from the Qubes devs.
|
||||
## How to Verify Qubes Repos
|
||||
|
||||
Whenever you use one of the [Qubes repositories](https://github.com/QubesOS),
|
||||
you should verify the PGP signature in a tag on the latest commit or on the
|
||||
latest commit itself. (One or both may be present, but only one is required.)
|
||||
If there is no trusted signed tag or commit on top, any commits after the
|
||||
latest trusted signed tag or commit should **not** be trusted. If you come
|
||||
you should use Git to verify the PGP signature in a tag on the latest commit or
|
||||
on the latest commit itself (one or both may be present, but only one is
|
||||
required.) If there is no trusted signed tag or commit on top, any commits after
|
||||
the latest trusted signed tag or commit should **not** be trusted. If you come
|
||||
across a repo with any unsigned commits, you should not add any of your own
|
||||
signed tags or commits on top of them unless you personally vouch for the
|
||||
trustworthiness of the unsigned commits. Instead, ask the person who pushed the
|
||||
unsigned commits to sign them.
|
||||
|
||||
You should always perform this verification on a trusted local machine with
|
||||
You should always perform Git verification on a trusted local machine with
|
||||
properly validated keys (which are available in the [Qubes Security
|
||||
Pack](/security/pack/)) rather than relying on a third party, such as GitHub.
|
||||
While the GitHub interface may claim that a commit has a verified signature
|
||||
|
Loading…
Reference in New Issue
Block a user