So i am a little lost. I downloaded the latest .iso for Qubes OS. I also got myself a Release Signing Key as well as a Master Signing Key which i both trust. I went through every step of the instructions given by the official website, but i am still unable to verify the pgp key. I use pgp4win by the way. So this is where i am stuck. pgp4win asks me for the Passphrase, when i try to verify the the authenticity of the .iso or when i try to import the keys. I did succesfully verify other files with pgp4win without being asked for a passphrase. Am i missing something?
2 Likes
Hi @adabsurdum. Welcome to the forum!
Unfortunately the verification process is only detailed for Linux at the moment (see related issue bellow).
@GWeck maybe this is something you can help with?
2 Likes
In order to check the signature of the iso, you first have to import the Qubes Master Signing Key (Key-ID 0xDDFA1A3E36879494) and the Qubes OS Release 4 Signing Key (Key-ID 0x1848792F9E2795E9) into your public keyring. Then, sign the Master Signing Key with your own private, specifying full trust (level 4). You could do this using the Kleopatra GUI or via the commands
gpg --sign-key 0xDDFA1A3E36879494
and
gpg --edit-key 0xDDFA1A3E36879494 and selecting subcommand trust
Then verify the signature of the iso via the context menu entry Decrypt and verify, applied to the file Qubes-R4.1.0-alpha20201014-x86_64.iso.asc, which must be stored in the same directoy as the corresponding iso file Qubes-R4.1.0-alpha20201014-x86_64.iso. This context menu entry should be available if gpg4win was installed with the GPGex option.
Alternatively, you could verify the signature via the command
gpg --verify Qubes-R4.1.0-alpha20201014-x86_64.iso.asc Qubes-R4.1.0-a lpha20201014-x86_64.iso
which should give a result similar to the following:
gpg: Signatur vom 14.10.2020 12:22:46 Mitteleuropõische Sommerzeit
gpg: mittels RSA-Schlüssel 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: Korrekte Signatur von "Qubes OS Release 4 Signing Key" [vollständig]
5 Likes
Thanks for your reply. I tried everything you told me but i didn’t get far. First importing the masterkey, via GUI or commandline (Powershell), is impossible without knowing the password for the master signing key (for whatever reason it asks me for it) Here is what i get:
PS C:[PATH TO FILE]> gpg --sign-key 0xDDFA1A3E36879494
pub rsa4096/DDFA1A3E36879494
erzeugt: 2010-04-01 verfällt: niemals Nutzung: SC
Vertrauen: unbekannt Gültigkeit: unbekannt
[ unbekannt ] (1). Qubes Master Signing Key
pub rsa4096/DDFA1A3E36879494
erzeugt: 2010-04-01 verfällt: niemals Nutzung: SC
Vertrauen: unbekannt Gültigkeit: unbekannt
Haupt-Fingerabdruck = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
Qubes Master Signing Key
Sind Sie wirklich sicher, daß Sie vorstehenden Schlüssel mit Ihrem
Schlüssel “[MY NAME] <[MYEMAIL]>” ([MYKEY]) beglaubigen wollen
Wirklich signieren? (j/N) j
gpg: Beglaubigung fehlgeschlagen: Keine Passphrase angegeben
gpg: Beglaubigung fehlgeschlagen: Keine Passphrase angegeben
Schlüssel ist nicht geändert worden, also ist kein Speichern nötig.
Ok, now for the comparing the .iso to the signing key i got a little further. It seems that on my setup it does only work from the commandline, for whatever reason. But there is something i don’t understand. Basically i get the following result:
PS C:[PATH TO FILES]> gpg --verify Qubes-R4.0.3-x86_64.asc Qubes-R4.0.3-x86_64.iso gpg: Signatur vom 20.01.2020 02:41:26 Mitteleuropõische Zeit
gpg: mittels RSA-Schlüssel 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: Korrekte Signatur von “Qubes OS Release 4 Signing Key” [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = 5817 A43B 283D E5A9 181A 522E 1848 792F 9E27 95E9
So if i am correct it tells me that the signature is correct but also the key has no trustworthy signature. Is this because i don’t have a masterkey in the keyring as of yet?
1 Like
What is this command?
gpg --sign-key?
Why are you trying to sign the key?
What key are you using to sign it?
Do you have a password set on your default private key?
What you need to do is to read this page, and read it carefully:
The instructions for gpg4win will be almost exactly the same as those for
standard gpg.
What you need to do is import the Qubes Master Signing Key:
gpg --import
3 Likes
“So if i am correct it tells me that the signature is correct but also
the key has no trustworthy signature. Is this because i don’t have a
masterkey in the keyring as of yet?”
No, it’s because you have not yet set a trust level for whatever key(s)
you have imported.
The suggestion in the instructions is that you import the Master key and
set that to a high trust level - this will cascade trust down to other
keys signed with the Master Key.
You should find that the instructions for gpg in linux carry over exactly
to pgp4win at the command line.
Import the Master key - gpg --import
Set it’s trust level
1 Like
If you sign the Qubes Master Key, you are instructing gpg that this is a valid key and you confirm this by putting a digital signature on this key. The private key used for this digital signature is your own private key. So the passphrase required by gpg is that of your private key.
You should sign a key only if you trust that it is the correct one, i.e. if you checked its fingerprint - which, by the way, according to your log data, is 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494, and that is the correct value.
A trust level should ony be set for a key whose identity you have checked this way. Signing the key before setting its trust level is optional with gpg and just has the effect that you can export the signed key telling others that you have checked it and are convinced that it is the right one.
So I recommend that you read the documentation cited by @unman - which is a lot better than the original gpg documentaion which is bound more to confuse than to really help!
1 Like
Hey @GWeck , I made a post over at my thread about How To Verify Signatures and I did my best to make the video I made accurate and engaging.
I saw your post about:
Then verify the signature of the iso via the context menu entry Decrypt and verify , applied to the file Qubes-R4.1.0-alpha20201014-x86_64.iso.asc , which must be stored in the same directoy as the corresponding iso file Qubes-R4.1.0-alpha20201014-x86_64.iso . This context menu entry should be available if gpg4win was installed with the GPGex option.
Can you clarify and give an example about the decrpt command in the reference you are using?
Also @adabsurdum click the link in this reply, that should help.
3 Likes
That is for if you are using the Kleopatra GUI and want to verify. Your video does not use that, therefore there is no command you need to add.
1 Like
Hey trhat’s a great video that you have created! Clear, concise, and suitable for anyone who has no experience with gpg so far. The language is understandable for non-English speaking people, too, and the acoustic quality is more than sufficient for these people, too.
As for the context menu entry: Like @HackerNCoder said, that is just an additional option available if Kleopatra is installed. Right clicking on the .asc file in Windows explorer then shows something like the following:
(As I am using a German Windows system, it is shown as Entschlüsseln und prüfen, but I suppose that an English system would show it as Decrypt and verify.)
If the gpg commands are entered from a command windows, like you showed in your video, there is no need to use this conext menu command. It’s just a question which type of interaction you prefer. (de gustibus non est discutandem, or so…)
1 Like
I want to show you something.
If I have both the release signing key and the Qubes Master Signing key, can I then click on Decrpt/Verify then click on Qubes iso to verify the ISO? 
Here’s what happens when it finished. I get no message what so ever:
You just have to click on the .asc file. Kleopatra then assumes to have to check the file with the corresponding name, i.e. with the .asc stripped off. The behaviour is then somewhat misleading - tricked me too: When the progress bar is filled and you get the picture above, Kleopatra has not checked the signature, but is just starting the check. It may then take quite some time until the check completes, and then you wil get something like the following:
On my system, where the iso file is stored on a NAS attached via a 100 Mbit line, it took about two minutes for the progress bar to fill up. Then, for about 6 minutes, nothing happend, but gpg just used CPU time. Then, a second progress bar started, taking again about two minutes, and then, finally, the result was displayed. Not exactly a user-friendly UX, in my opinion!
3 Likes
I’ll give this a try then if it works for me, I’ll make another tutorial about it.
My ISO was verified perfectly but what I noticed was that it verified the file will FULL trust instead of ULTIMATE trust. In the screenshot below, it will not let me change it to ultimate trust. Should I be okay with just full trust?
1 Like
Full trust should be o.k. Both full and ultimate trust mean that you trust any keys signed by this key. The difference is just that you should ultimately trust only yourself (up to how many beers???), i.e. only keys for which you have a secret key. As you don’t have the secret key for the Qubes Master Signing Key, full trust should be the maximum achievable. But the sloppy implementation of gpg sometimes allows ultimate trust even without a secret key. That’s not clean, but no harm done, as both values work.
1 Like
Awesome, thank you @GWeck for your input. I’m in the process of making another tutorial (both windows and linux) for doing verifications through Kleopatra.
Thanks a lot for your video, it help sorting things out quite a lot! 
1 Like