From fb4e74416b5e898a346c058a0a725e544472a62c Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Fri, 27 Oct 2017 21:21:26 -0500
Subject: [PATCH] Add warning about key verification (#431)

---
 managing-os/pentesting/kali.md | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/managing-os/pentesting/kali.md b/managing-os/pentesting/kali.md
index 83ed7ecd..31dd9b75 100644
--- a/managing-os/pentesting/kali.md
+++ b/managing-os/pentesting/kali.md
@@ -180,6 +180,10 @@ The steps can be summarised as:
 
 ### Get Kali Linux GPG key ###
 
+**CAUTION:** Before proceeding, please carefully read [On Digital Signatures and Key Verification][qubes-verifying-signatures].
+This website cannot guarantee that any PGP key you download from the Internet is authentic.
+Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint.
+
 This step is required since by (security) default a TemplateVM do not have a
 direct Internet connectivity. Users understanding the risks of enabling such
 access can change this configuration in firewall settings for the TemplateVM.
@@ -193,8 +197,8 @@ access can change this configuration in firewall settings for the TemplateVM.
 2. **DO NOT TURN OFF** the DispVM, the `kali-key.asc` file will be copied to
    the Kali Linux template in a further step.
 
-3. Make sure the key ID is the valid one listed on the [Kali website]. Ideally,
-   verify the fingerprint through other channels as recommended on that link.
+3. Make sure the key is the authentic Kali key.
+   See the [Kali website] for further advice and instructions on verification.
 
 ### Create a Debian 9.0 (Stretch) template ###
 
@@ -309,6 +313,7 @@ Notes
 
 Thanks to the people in [the discussion thread](https://github.com/QubesOS/qubes-issues/issues/1981).
 
+[qubes-verifying-signatures]: /security/verifying-signatures/
 [qubes-pentesting]: /doc/pentesting/
 [qubes-blackarch]: /doc/pentesting/blackarch/
 [qubes-ptf]: /doc/pentesting/ptf/
@@ -317,7 +322,7 @@ Thanks to the people in [the discussion thread](https://github.com/QubesOS/qubes
 
 [kali]: https://www.kali.org/
 [kali-vbox]: https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/
-[kali website]: https://docs.kali.org/introduction/download-official-kali-linux-images.
+[kali website]: https://docs.kali.org/introduction/download-official-kali-linux-images
 
 [PTF]: https://www.trustedsec.com/may-2015/new-tool-the-pentesters-framework-ptf-released/