How To: Verify Qubes Digital Signatures and Key Verification (Verifying Signatures)

Описание: In this tutorial we will be easily verifying signatures to ensure that your download of the Qubes ISO is more authentic. This is important because evil, desperate people suffering from IBS and with malicious intent may try to compromise your download. Using this tutorial assumes that you are not using a compromised computer. If your computer is compromised then no amount of verifications or fancy doo-dads will help.

*Worthy of note: I am using a few different Windows themes so pages and windows colors will look different than yours*

Always verify the links provided before downloading or trusting the source.
Website: https://qubes-os.org
Tutorial that we will be following:
https://www.qubes-os.org/security/ver...

Go to the Qubes download page and download the ISO, Detached PGP signature, and the Qubes Release Signing Key:
https://www.qubes-os.org/downloads/ (Right click each link and click on save as)

For Windows, you will need a gpg program. We will be using Gpg4Win:
https://www.gpg4win.org/

Open up your Windows Explorer by going to Start and typing explorer and clicking on Windows Explorer. On the left side click on Local Disk (C:) under Computer. Press the ALT key and click the down arrow and click on New then click on folder. Type Qubes and press enter. Double click the new Qubes folder/directory. This is where you will be putting the files you download to.

Open up a terminal by going to your start menu and typing the following in the search bar:
cmd.exe

In the terminal, type the following commands to navigate to the new Qubes directory that we created. This command is different than the commands given in the tutorial.
cd C:\Qubes

Get the Qubes Master Signing Key:
https://keys.qubes-os.org/keys/qubes-...

Download the file, then import it with GPG:
gpg --import ./qubes-master-signing-key.asc

-OR- Fetch the Qubes Master Key with GPG:
gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-...

-OR- Get the Qubes Master Key from a public keyserver:
gpg --keyserver-options no-self-sigs-only,no-import-clean --keyserver hkp://pool.sks-keyservers.net

Double click the Qubes Master Signing Key inside the Qubes directory to import it into Kleopatra. Look for a success message and under Key-ID, compare the last 4 blocks of the Key-ID to Master Signing Key fingerprint listed on the site. Follow the instructions on the fingerprint to ensure the fingerprint is genuine.

The Qubes Master Signing Key fingerprint is not a command but rather a reference point for you to look at, memorize, and refer to back later. Please use the links provided on the tutorial to look up and verify the Qubes Master Signing Key fingerprint (e.g., mailing lists, discussion forums, social media, personal websites) by comparing it the Qubes Master Signing Key fingerprint on the website to make sure they are the same.

The following commands are for editing the key and setting the trust level to 'Ultimate', only if you have verified the fingerprints are genuine:
gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
fpr
trust
5
y
q

Add the Qubes Master Signing Key to the keyring:
gpg -k "Qubes Master Signing Key"

Get the Release Signing Key. Use the correct version that corresponds with the version you downloaded by changing the X to the main version you are using. In this tutorial we will be using version 4, thus changing X to 4. Use whole numbers only (integers), no decimals.

You should have already downloaded the release signing key when you downloaded the ISO:
https://www.qubes-os.org/downloads/

Alternativly, you can fetch it with GPG:
gpg --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-...

Once you’ve downloaded your Release Signing Key, import it with GPG:
gpg --keyserver-options no-self-sigs-only,no-import-clean --import ./qubes-release-4-signing-key.asc

Sign the Release Signing key using the Qubes Master Signing Key:
gpg --check-signatures "Qubes OS Release 4 Signing Key"

Verify the Release Signing Key is in your keyring:
gpg -k "Qubes OS Release"

Time to verify your ISO! Yay!
gpg -v --verify Qubes-R4.0.3-x86_64.iso.asc Qubes-R4.0.3-x86_64.iso

Example of how the 4.0.3 edited file name should look:
Qubes-R4.0.3-x86_64