How to verify Qubes R4.1.1 iso in Windows 11

This probably posted a hundred time, but I’m lost.

After reading Verifying signatures | Qubes OS
and installing gpg4win 4.0.4. I think by copy paste
does the trick to download the key, but the next steps are using linux gpg2. Something about web of trust.

There are a lot of verifications need to be done. I’m kind of paralysis by it. Is there a page dedicated to window 11 methods in verifying Qubes iso?

The verifications will be the same, although the program you use may
What pgp/gpg program are you using in Windows?

i want to add, that pgp verifying it is not strictly necessary. Obviously it is recommended. However some users just resort to checking the hash sum, or just trust HTTPS to secure their download.

Welcome ot the community :slightly_smiling_face: This should do it for you:

On Windows: Download from Download Qubes OS | Qubes OS (all to one folder)

  • *.iso
  • Release signing key
  • Detached PGP sig

Click on File (top left) of folder where files have been downloaded

Open Powershell

Import the two keys with these commands:
gpg --import qubes-master-signing-key.asc
gpg --import qubes-release-4-signing-key.asc

If you wish, additional verification of the Master key:
gpg --fingerprint

Output should be:

> pub rsa4096 2010-04-01 [SC]
> 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
> uid [ unknown] Qubes Master Signing Key

Then search for the Qubes master key fingerprint online. Compare that fingerprint and make sure whats in your shell matches what you see in your search.

Verify the release key:
gpg --check-sigs

The output should look like this:

pub rsa4096 2017-03-06 [SC]
uid [ unknown] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key

You should see the Release 4 key in “uid” and nested under it the Master key. The Master key line must begin with “sig!” including the exclamation mark! If the exclamation is not present then the key is bad.

Verify the iso file:
gpg --verify Qubes-R4.1.1-x86_64.iso.asc Qubes-R4.1.1-x86_64.iso

Wait … Message "Good signature from “Qubes OS Release 4 Signing Key”

gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: Good signature from "Qubes OS Release 4 Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5817 A43B 283D E5A9 181A 522E 1848 792F 9E27

Done. Verified and ready for install

See also: