How to verify Qubes R4.1.1 iso in Windows 11

GillDnD · November 19, 2022, 9:22am

This probably posted a hundred time, but I’m lost.

After reading Verifying signatures | Qubes OS
and installing gpg4win 4.0.4. I think by copy paste
[https:]//keys.qubes-os.org/keys/qubes-master-signing-key.asc
does the trick to download the key, but the next steps are using linux gpg2. Something about web of trust.

There are a lot of verifications need to be done. I’m kind of paralysis by it. Is there a page dedicated to window 11 methods in verifying Qubes iso?

unman · November 19, 2022, 12:20pm

The verifications will be the same, although the program you use may
differ.
What pgp/gpg program are you using in Windows?

Suspicious_Actions · November 19, 2022, 1:02pm

i want to add, that pgp verifying it is not strictly necessary. Obviously it is recommended. However some users just resort to checking the hash sum, or just trust HTTPS to secure their download.

MrA · November 20, 2022, 5:53pm

Welcome ot the community This should do it for you:

On Windows: Download from Download Qubes OS | Qubes OS (all to one folder)

*.iso
Release signing key
Detached PGP sig

Click on File (top left) of folder where files have been downloaded

Open Powershell

Import the two keys with these commands:
gpg --import qubes-master-signing-key.asc
gpg --import qubes-release-4-signing-key.asc

If you wish, additional verification of the Master key:
gpg --fingerprint

Output should be:

> pub rsa4096 2010-04-01 [SC]
> 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
> uid [ unknown] Qubes Master Signing Key

Then search for the Qubes master key fingerprint online. Compare that fingerprint and make sure whats in your shell matches what you see in your search.

Verify the release key:
gpg --check-sigs

The output should look like this:

pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ unknown] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key

You should see the Release 4 key in “uid” and nested under it the Master key. The Master key line must begin with “sig!” including the exclamation mark! If the exclamation is not present then the key is bad.

Verify the iso file:
gpg --verify Qubes-R4.1.1-x86_64.iso.asc Qubes-R4.1.1-x86_64.iso

Wait … Message "Good signature from “Qubes OS Release 4 Signing Key”

gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: Good signature from "Qubes OS Release 4 Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5817 A43B 283D E5A9 181A 522E 1848 792F 9E27
95E9

Done. Verified and ready for install

fsflover · November 20, 2022, 10:42pm

Improve secure installation media preparation process for Windows and Mac users

opened 08:35PM - 06 Nov 20 UTC

andrewdavidwong

T: enhancement help wanted C: installer C: doc ux P: default C: infrastructure

**The problem you're addressing (if any)** [Verifying Signatures](https://w…ww.qubes-os.org/security/verifying-signatures/) was written primarily with Linux in mind. It needs to be improved for Windows and Mac users. **Describe the solution you'd like** Add or enhance instructions for Windows and Mac users. **Where is the value to a user, and who might that user be?** People coming from Windows and Mac will be able to verify the Qubes ISO on their current systems. **Describe alternatives you've considered** Pointing to external documentation. It'd be nicer if we could provide exact commands that will work. **Additional context** https://github.com/QubesOS/qubes-doc/pull/1076 https://qubes-os.discourse.group/t/iso-verification-instructions-cli-commands-arent-recognized-by-my-non-qubes-cli/1373 **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://www.qubes-os.org/security/verifying-signatures/ **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** None found.