Clean ISO verification workflow (QMSK / RSK) for major upgrade?

General Discussion
1

Hi all,

I’m preparing for the next major Qubes upgrade and plan to do what worked well for me from 4.2 → 4.3:

  • download ISO
  • verify
  • write to USB
  • fresh bare-metal install
  • restore from Qubes backup

The reinstall + restore approach has been very smooth so far.

What I’m unsure about is the cleanest verification workflow regarding QMSK and RSK.

As I understand it:

  • ISO is signed by the Release Signing Key (RSK)
  • RSK is signed by the Qubes Master Signing Key (QMSK)
  • QMSK is the root of trust

So should the correct chain be:

  1. Import QMSK
  2. Verify its fingerprint out-of-band
  3. Import RSK
  4. Verify RSK is signed by QMSK
  5. Verify ISO with RSK

Or is verifying the ISO against a validated RSK sufficient in practice?

Also:

  • Do you verify in a dedicated offline qube?
  • Do you keep QMSK persistent, or import it fresh each time?
  • Is using a separate “verify” VM preferred over Vault?

I’m trying to keep trust domains clean without overengineering the process.

Curious how experienced users handle this.

Thanks.

2

The import step is very easy and I don’t think that if you take it from Qubes OS you need to verify the fingerprint…

So even if that is true, why not spend some extra seconds to import the QMSK?

I’m using an offline disposable. That might be overkill but it is so easy that I don’t see why not to do that.

3

Thanks! That’s exactly the information I needed. I agree it’s good practice.