Verifying signatures | Qubes OS says to use the pgp web of trust, but the wiki page it links to has no commands to run, no instructions, and the external links are not much help (since they just seem to point to https://www.research.att.com/~reiter/PathServer/ which is down). When I search for web of trust, https://www.mywot.com/ is what comes up, but I have a feeling that is not what is being referred to, because it is about integrity of sites, not keys. Experimental PGP key path finder is up, but how do I verify that what it is saying is true? Any site can just say there is a path…
I’m thinking this is the same question, but how do I find the keys that are signed by the Qubes Master Signing Key (QMSK)? For instance, I’d like to find a trusted version of the Signal key (https://updates.signal.org/desktop/apt/keys.asc) while distrusting the infrastructure the whole time. I know there is this page to find who signs QMSK, but I don’t trust any of those (yet), so that doesn’t help. I have, however, verified my copy of the QMSK fingerprint, so I want to go the other way (whom QMSK signs).
0xDDFA1A3E36879494 0x063938BA42CFA724 0xDB8FD31CCAD7D72C 0xFC1B547C8D8172C8 0x4B043FCDB9444540 0x5A09B4576DE8080E 0x086DC2A6D40B9D04 0x824D906CCA885078 0x1EDF0DB99D8B7A84 0xF5378C6B2B177925 0xB754EB6BA214CDDB 0xD980A17457F6FB061 nodes examined. 81916 elements in the hash
Can’t find any further paths
Produced by gpgwww 0.6.1, part of onak.