From fdcaadaeec4d91edc01bdfd8774c9e27de04260d Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Sat, 14 Nov 2020 00:16:13 -0800 Subject: [PATCH] Add info about distribution-gpg-keys; clarify section Thank you to Andrew Clausen for pointing out this package. --- project-security/verifying-signatures.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/project-security/verifying-signatures.md b/project-security/verifying-signatures.md index 6e6c0ca9..758ea596 100644 --- a/project-security/verifying-signatures.md +++ b/project-security/verifying-signatures.md @@ -104,8 +104,9 @@ You also should not rely on any single website, not even over HTTPS. So, what *should* you do? One option is to use the PGP [Web of Trust](https://en.wikipedia.org/wiki/Web_of_trust). -In addition, some operating systems have built-in keyrings containing keys capable of validating the Qubes Master Signing Key. -For example, if you have a Debian system, then your keyring may already contain the necessary keys. +In addition, some operating systems include the means to acquire the Qubes Master Signing Key in a secure way. +For example, on Fedora, `dnf install distribution-gpg-keys` will get you the Qubes Master Signing Key along with several other Qubes keys. +On Debian, your keyring may already contain the necessary keys. Another option is to rely on the key's fingerprint. Every PGP key has a fingerprint that uniquely identifies it among all PGP keys (viewable with `gpg2 --fingerprint `).