Skip to content

Instantly share code, notes, and snippets.

@martin12333

martin12333/qubes-authentication.md

Forked from tildelowengrimm/qubes-authentication.md
Created May 26, 2018 18:21
Show Gist options
  • Save martin12333/4205e48dba4104425e10d5ca5457b85e to your computer and use it in GitHub Desktop.
Save martin12333/4205e48dba4104425e10d5ca5457b85e to your computer and use it in GitHub Desktop.
Download ZIP
Qubes OS authentication info
Raw
qubes-authentication.md 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

When I install software, I'd prefer to have a secure delivery mechanism. Qubes OS uses a relatively robust system. A master signing key is kept on a “dedicated, air-gapped "vault" machine”. This key certifies dedicated keys for each major release.

Sadly, I don't have a good way to verify the Qubes master signing key. Instead, I tried downloading the Qubes key packet from various different network endpoints, and over a bunch of different Tor circuits. I asked some friends to try the same thing. We all got the same results.

I'm pretty sure that the sha256sum of https://keys.qubes-os.org/keys/qubes-developers-keys.asc is 6ffc53d0d0d47a096476ee4d276e9cd025a39dc0fdeef5d69293bccef43558d6. When I connect to https://qubes-os.org, I see an SSL cert with SHA1 fingerprint F1:B2:89:E0:05:97:47:DA:FB:41:13:15:0E:E3:98:09:D0:A3:F7:C5.

If you check it out and see something different, please let me know. You can email me at [email protected].

When I download the Qubes R1 and the accompanying signature file, things look a little like this:

user@host:~$ gpg --verify Qubes-R1-x86_64-DVD.iso.asc 
gpg: Signature made Wed 29 Aug 2012 04:13:53 AM PDT
gpg:                using RSA key 0xEA01201B211093A7
gpg: Good signature from "Qubes OS Release 1 Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FFED 4FD8 E49E 79F3 9C83  FD81 EA01 201B 2110 93A7

user@host:~$ gpg --list-sigs 0xEA01201B211093A7
pub   4096R/0xEA01201B211093A7 2012-03-31
uid                 [ unknown] Qubes OS Release 1 Signing Key
sig 3        0xEA01201B211093A7 2012-03-31 never       Qubes OS Release 1 Signing Key
sig          0xDDFA1A3E36879494 2012-03-31 never       Qubes Master Signing Key

user@host:~$ gpg --fingerprint 0xDDFA1A3E36879494
pub   4096R/0xDDFA1A3E36879494 2010-04-01
      Key fingerprint = 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
uid                 [ unknown] Qubes Master Signing Key

Relevant links

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQGcBAEBCgAGBQJTQdxaAAoJEEkNdCvKIIrczDYL/jKUJBJ+mFO/Ls9NCIggVMyh
AdHWecinqBsUWLSFdO5BTCxbrWqpOTQZas5/3r4hxSfpTmyq7DXtfvT7VZQOu/33
RiVlp32zgS/DhKqrU46qudCQX/jX1w+vi0MAPn74DvN+UAe6J6G0uk82uKeXNQv1
DLdq3sLHzGA/wh2KZnDIlvqXGujubNk6BTphi02eD192S7/4c4hZaKNdd8mf10jf
FNJEX8aeULNirLp4qhJg2U3tBZNKWQ8WEiy2BSf3yl+pIaXVJa526zkmLq9GeY0V
8GsBv3/tnqvnF0duu15bDDGlrdvjmQcVsqmYRAVvaZkj0NIRIKur/WPxfRMVkNEV
MQVYzI/qW/uc8qfI27R5UNrbyjUHMz2nmH4fBtA7ebXpO002cHSGuT2jE5Vh5ybq
afWVCkkOtUtxEGiR+mDT57CL65q2fHIhJzXWA0JCzYiS0H/lg2vUKTvnM7iyYPIY
i3HoXWeSW3+OTCa/zNwAsPCjr8o+pv77Bsxe/qxCVw==
=oKCj
-----END PGP SIGNATURE-----
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment