I’m a complete noob to both linux and qubes with zero experience. Spent the last week looking up and reading directions for verifying Qubes iso authentication and burning it to usb. I need help verifying that the directions I’ve gathered below are correct and legit.
-
Is this the correct QMSK? 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
-
Do I need to verify the ISO again after it’s burned onto a USB drive if I follow these steps below?
Note:
- I installed Fedora 41 using Media Writer (for access to the built in GnuPG) on a pc dual booting with Windows 11 or Fedora 41.
- Change directory to Downloads
- Check for the files listed below
$ cd Downloads
~/Downloads$ ls
***** Downloads [file] *****
-
Qubes-R4.2.4-x86_64.iso
-
Qubes-R4.2.4-x86_64.iso.asc (Detached PGP signature)
-
Qubes-R4.2.4-x86_64.iso.DIGESTS (Cryptographic hash values)
-
qubes-release-4-signing-key.asc
-
qubes-master-signing-key.asc (import QMSK by command line below)
***** Verify the Qubes Master Signing Key *****
get the Qubes Master Signing Key [QMSK]
- 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
On Fedora:
$ dnf install distribution-gpg-keys
$ gpg2 --import /usr/share/distribution-gpg-keys/qubes/*
OR Fetch it with GPG:
$ gpg2 --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
import the QMSK [do I skip this if done with Fedora steps above???]
$ gpg2 --import qubes-master-signing-key.asc
view the key’s fingerprint
-
<KEY_ID>: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
-
short <KEY_ID>: 0x36879494
-
pub 4096R/36879494 2010-04-01
-
Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
-
uid Qubes Master Signing Key
$ gpg2 --fingerprint <KEY_ID>
set the QSMK trust level to “ultimate”
$ gpg2 --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
$ gpg> fpr
$ gpg> trust
$ gpg> 5
$ gpg> q
make sure the QMSK is in your keyring with the correct trust level [ultimate]
$ gpg2 -k “Qubes Master Signing Key”
***** Verify release signing keys *****
download the release signing key (RSK)
FROM Download Qubes OS | Qubes OS
OR
$ gpg2 --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
Once you’ve downloaded your RSK, import it with GPG
$ gpg2 --keyserver-options no-self-sigs-only,no-import-clean --import qubes-release-X-signing-key.asc
verify that the release signing key [RSK] is signed by the QMSK
$ gpg2 --check-signatures “Qubes OS Release 4 Signing Key”
make sure the RSK is in your keyring with the correct trust level [full]
$ gpg2 -k “Qubes OS Release 4 Signing Key”
***** Verify detached PGP signatures on Qubes ISOs *****
Check for Good signature from “Qubes OS Release 4 Signing Key [full]”
$ gpg2 -v --verify Qubes-R4.2.4-x86_64.iso.asc Qubes-R4.2.4-x86_64.iso
***** Verify the cryptographic hash values of Qubes ISOs *****
Open Qubes-R4.2.4-x86_64.iso.DIGESTS with text editor and compare
$ openssl dgst -md5 Qubes-R4.2.4-x86_64.iso.DIGESTS
$ openssl dgst -sha1 Qubes-R4.2.4-x86_64.iso.DIGESTS
$ openssl dgst -sha256 Qubes-R4.2.4-x86_64.iso.DIGESTS
$ openssl dgst -sha512 Qubes-R4.2.4-x86_64.iso.DIGESTS
OR
check for “Qubes-RX-x86_64.iso: OK”
$ md5sum -c Qubes-R4.2.4-x86_64.iso.DIGESTS
$ sha1sum -c Qubes-R4.2.4-x86_64.iso.DIGESTS
$ sha256sum -c Qubes-R4.2.4-x86_64.iso.DIGESTS
$ sha512sum -c Qubes-R4.2.4-x86_64.iso.DIGESTS
verify the signature in the digest file
$ gpg2 -v --verify Qubes-R4.2.4-x86_64.iso.DIGESTS
***** Linux ISO to USB *****
[Identify Your USB Device]
- /dev/sdX***, where X*** is a letter representing your drive
$ lsblk
[Unmount the USB Drive (if mounted)]
$ sudo umount /dev/sdX***
[Write the Qubes OS ISO to USB]
$ sudo dd if=Downloads/Qubes-R4.2.4-x86_64.iso of=/dev/sdX*** bs=4M status=progress oflag=sync
[Sync and Eject the USB Drive]
$ sync
$ sudo eject /dev/sdX***