Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-01-13 16:29:59 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add info about distribution-gpg-keys; clarify section

Browse Source 
Thank you to Andrew Clausen for pointing out this package.
This commit is contained in:
Andrew David Wong 2020-11-14 00:16:13 -08:00
parent 371d5471a5
commit fdcaadaeec
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
project-security/verifying-signatures.md
View File

@ -104,8 +104,9 @@ You also should not rely on any single website, not even over HTTPS.
So, what *should* you do? So, what *should* you do?
One option is to use the PGP [Web of Trust](https://en.wikipedia.org/wiki/Web_of_trust). One option is to use the PGP [Web of Trust](https://en.wikipedia.org/wiki/Web_of_trust).
In addition, some operating systems have built-in keyrings containing keys capable of validating the Qubes Master Signing Key. In addition, some operating systems include the means to acquire the Qubes Master Signing Key in a secure way.
For example, if you have a Debian system, then your keyring may already contain the necessary keys. For example, on Fedora, `dnf install distribution-gpg-keys` will get you the Qubes Master Signing Key along with several other Qubes keys.
On Debian, your keyring may already contain the necessary keys.
Another option is to rely on the key's fingerprint. Another option is to rely on the key's fingerprint.
Every PGP key has a fingerprint that uniquely identifies it among all PGP keys (viewable with `gpg2 --fingerprint <KEY_ID>`). Every PGP key has a fingerprint that uniquely identifies it among all PGP keys (viewable with `gpg2 --fingerprint <KEY_ID>`).