In my rudimentary skills at verifying the iso of Qubes 4.2 the fingerprint is not matching the widely publicized fingerprint. I am probably doing something wrong I am sure but I will include a snapshot of the results.
Thanks in Advance for any help
You are looking at the fingerprint of the Release Signing Key (RSK) rather than the fingerprint of the Qubes Master Signing Key (QMSK). Please read and follow this section again carefully.
Thank you for the response.
So in your opinion that release signing key looks good? The reason why I ask is that when I search for that fingerprint’s string of numbers I cannot find it anywhere, however when I search for the master Signing Keys numbers there are many websites and forums that it can be found on.
You should not rely on my or anyone else’s opinion when it comes to verifying cryptographic signatures, since a much strong form of assurance is readily available: mathematical proof.
Yes, that is by design. The QMSK is the root of trust. That’s the only key you need to be sure is genuine. Once you’ve done that, you can easily verify that any other RSK is genuine without even having to look at any RSK fingerprint. This is all explained in great detail in the documentation I linked. I strongly encourage you to read it carefully and thoroughly.
1 Like