Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-01-11 23:49:45 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: inform how to verify the maintainer's key

Browse Source 
For: https://github.com/ben-grande/qusal/issues/37
This commit is contained in:
Ben Grande 2024-03-23 22:22:31 +01:00
parent fcc155f5c7
commit cc2d547589
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
1 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@ -74,6 +74,9 @@ You current setup needs to fulfill the following requisites:
If you made a fork, fork the submodule(s) before clone and use your remote
repository instead, the submodules will also be from your fork.
3. Copy the [maintainer's signing key](https://github.com/ben-grande/ben-grande/raw/main/DF3834875B65758713D93E91A475969DE4E371E3.asc)
to your text editor and save the file to `/home/user/ben-code.asc`.
### Dom0 Installation
Before copying anything to Dom0, read [Qubes OS warning about consequences of
@ -91,15 +94,33 @@ this procedure](https://www.qubes-os.org/doc/how-to-copy-from-dom0/#copying-to-d
"${qube}" /usr/lib/qubes/qfile-agent "${file}"
```
2. Acquire the maintainer signing key by other means and copy it to Dom0.
2. Pass the maintainer's key from the qube to Dom0:
```sh
qvm-run --pass-io "${qube}" -- "cat /home/user/ben-code.asc" | tee /tmp/ben-code.asc
```
3. Verify the [commit or tag signature](https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-signatures-on-git-repository-tags-and-commits) and expect a good signature, be surprised otherwise:
3. Verify that the key fingerprint matches
`DF38 3487 5B65 7587 13D9 2E91 A475 969D E4E3 71E3`. You can use
Sequoia-PGP or GnuPG for the fingerprint verification:
```sh
gpg --show-keys /tmp/ben-code.asc
# or
#sq inspect ben-code.asc
```
4. Import the verified key to your keyring:
```sh
gpg --import /tmp/ben-code.asc
```
5. Verify the [commit or tag signature](https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-signatures-on-git-repository-tags-and-commits)
and expect a good signature, be surprised otherwise:
```sh
git verify-commit HEAD
git submodule foreach git verify-commit HEAD
```
4. Copy the project to the Salt directories:
6. Copy the project to the Salt directories:
```sh
~/QubesIncoming/"${qube}"/qusal/scripts/setup.sh
```