...with a trusted signature! There is no indication that the signature
belongs to the owner."
With this edit, I'm aiming to assist the beginner reader who walked the
following breadcrumbs:
Should I trust this website?
==> verify the PGP signatures on the commits and/or tags
Detailed steps suggested by the docs along these breadcrumbs:
1) `git clone git@github.com:QubesOS/qubesos.github.io.git`
2) Verify the PGP sigs on the commits and/or tags
a) get properly validated GPG keys (available in the Qubes Security Pack)
i. `git clone https://github.com/QubesOS/qubes-secpack.git`
ii. `gpg --import qubes-secpack/keys/*/*`
iii. Verify/trust the QMSK (details given on the page)
b) `cd qubesos.github.io`
c) `git verify-commit 45ca80e8` (one of Andrew's recent commits)
RESULT: The WARNING pops up, because the user has not yet ultimately PGP
trusted Andrew's E11D 15C6 D204 3576 9FFA A456 8CE1 3735 2A01 9A17
key.
...in the "How to Verify Qubes Repos" section, since you must have
properly validated keys before being able to perform a successful
`git verify-tag` or `git verify-commit`.
Those are redundant, and yaml parser strips them in fact. By removing
them, loading and saving yaml file without any change indeed produce the
same output. This is useful for prepare_for_translation.py script (which
adds lang and ref tags) - to produce only change that indeed was made.
Those are fields used by the language switcher to correlate pages across
different languages, even if they have different names/paths/titles.
They are generated with the prepare_for_translation.py script.
- mark all code blocks with ```
- unify empty lines between sections
- adjust list syntax (no space before dash)
- adjust headers to use Atx-style syntax
- remove trailing spaces
Now that we have a user forum in addition to qubes-users, it makes more
sense to link to /support/ than to link directly to qubes-users (or to
the forum, for that matter). This layer of redirection means allows us
to update just one thing (namely, the /support/ page) instead of having
to hunt through all the documentation every time support information
changes.
The original instructions on how to verify the release signing key used
the `--list-sigs` option for gpg. However, unlike `--check-signatures`,
the `--list-sigs` option does not verify the authenticity of key
signatures.
See gpg2(1):
--list-signatures
--list-sigs
Same as --list-keys, but the signatures are listed too.
[...]
Note that in contrast to --check-signatures the key signatures
are not verified.
[...]
--check-signatures
--check-sigs
Same as --list-keys, but the key signatures are verified and
listed too.
[...]
This updates the documentation to use `--check-signatures` instead.