Obtaining the fingerprint from multiple, independent sources in different ways

I don’t understand how to do the following from the Verifying signatures page.Verifying signatures | Qubes OS

What is the following list talking about? Would someone please explain what it simply is telling me to do. I am not getting it.

Here are some ideas for how to do that:

  • Check the fingerprint on various websites (e.g., mailing lists , discussion forums , social media , personal websites).

  • Check against PDFs, photographs, and videos in which the fingerprint appears (e.g., slides from a talk , on a T-shirt , or in the recording of a presentation ).

  • Download old Qubes ISOs from different sources and check the included Qubes Master Signing Key.

  • Ask people to post the fingerprint on various mailing lists, forums, and chat rooms.

  • Repeat the above over Tor.

  • Repeat the above over various VPNs and proxy servers.

  • Repeat the above on different networks (work, school, internet cafe, etc.).

  • Text, email, call, video chat, snail mail, or meet up with people you know to confirm the fingerprint.

  • Repeat the above from different computers and devices.

When some digital object needs to be distributed in a way where the recipient can be sure it hasn’t been tampered with and comes from a certain source, we use digital signatures. Digital signatures are a common way that recipients can verify the integrity of some message, maybe an e-mail or file. The Qubes project uses digital signatures in this same way.

When an end user checks a signature, they have to use the public key of whoever claims to have created the signature. In this case, you are checking the signature of some file you got from the www.qubes-os.org web site, so you’d like to use the Qubes project’s public key. The crux of this issue comes in getting the key itself. If the key verifies that other messages haven’t been tampered with, what verifies that the key itself hasn’t been tampered with?

In order to ensure that the key hasn’t been tampered with (or, at least, be reasonably certain) we can check the key’s fingerprint, a string of characters unique to that key. If the key you have has the same fingerprint as someone else’s key, you can be almost certain that the two of you have the same key. So, by checking the fingerprint of some key from the Qubes project in multiple places, you can be more confident that the key you have is actually the key for the Qubes project, and hasn’t been tampered with. If a hypothetical attacker served you with a bogus key, you’d know, because you’d check multiple sources and these sources would say “no, that’s not the fingerprint I have.” Of course, you have to trust these sources too.

In reality, the Qubes project uses keys to sign other keys, but the logic is the same – somewhere, at the top of keys signing keys signing keys is a key which isn’t signed, and has to be trusted in some other fashion.

By the way, the fingerprint I have direct from my install of Qubes for the Qubes Master Signing Key is: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494

1 Like

Ok, so someone tells you that X is the QMSK fingerprint. How do you know if that’s true? They could be lying to you. The website you read that on could be compromised. The computer you’re using could be compromised. If an attacker can get you to believe that his key is the QMSK, then he can get you to install a malicious Qubes ISO, even if you follow the verification procedure perfectly. This is why it’s important to be sure you know the one true QMSK fingerprint.

Now, how do you do that? Well, you could go to the Qubes website, but again it could be compromised, or your connection to it could be MITMed, or your computer could be compromised. So you’ll want to get the fingerprint in a bunch of different ways (different websites through different connections on different devices), then make sure they all match. That way you’ll be reducing the risk that an attacker has tricked you into accepting a false QMSK. Or, alternatively, you’ve raised the cost of perpetrating such an attack against you, as now the attacker must compromise all the different paths you’ve taken.

Does this make more sense?

1 Like

See also: There is no way to validate Qubes Master Signing Key.

@_sy @adw and fsflover

I should have asked “How”. HOW would I achieve the following:

  • Check the fingerprint on various websites (e.g., mailing lists , discussion forums , social media , personal websites).

  • Check against PDFs, photographs, and videos in which the fingerprint appears (e.g., slides from a talk , on a T-shirt , or in the recording of a presentation ).

I am thinking that I would have to do a search using a search engine such as google to find the fingerprint from various websites, PDFs, photographs, and videos, etc.

Is my comprehension right? What if I can’t find them?

  • Ask people to post the fingerprint on various mailing lists, forums, and chat rooms.

For this step, is this to ensure different set of eyes seeing the fingerprint and posting it to some other sites, where I would go there and check against the one from here Verifying signatures | Qubes OS

It would be nice if these various websites, PDFs, photographs, mailing lists, forums, chat rooms, and videos, etc. were created or listed onto this page Verifying signatures | Qubes OS for users to refer to to get things going.

What if I can only achieve 1 of the steps? What is the easiest and quickest way to do this?

Could I just use the fingerprint that you have posted here as a check and I should be on my way to get this going or do I have to follow every suggested step before doing anything?

What if I walk around with a fake malicious fingerprint t-shirt?

Nobody should rely on a single source for the fingerprint. If all independent sources give you the same fingerprint, it’s highly likely that it’s legit.

2 Likes

Yes, this is right.

You should be able to, because there are indeed quite a few places already. Unless you are being attacked and prevented from accessing those resources.

It’s probably a bad idea, because the links listed on the official website will become an easy thing to target and may become unreliable quickly. The Qubes OS developers are trying to only present very reliable information in the official docs. However, such list would fit very well here on the forums. Probably in this very thread.

2 Likes

There is the “what if” scenario.

What if there are mischievous people out there who know these steps as suggested and posted at Verifying signatures | Qubes OS and they post some random strings of the fingerprint and say that theirs is the one to check against? Wouldn’t that be an issue?

I think there should be some mechanism or tool within Qubes itself to check once it is up and running for integrity. And if there is something wrong with it, Qubes should have a tool to wipe out whatever that is not authentic. Is this an error in my thinking?

Should I trust this website?

If you installed a malicious system, it’s too late to check the integrity, because it can show you anything. But see this: https://github.com/QubesOS/qubes-issues/issues/2544.

2 Likes

What about this “What if” scenario?

In your “what if” scenario, you assume that Verifying signatures | Qubes OS can be trusted. But you cannot trust this website as explained in my link.

1 Like

I meant the steps that say to go to other websites on the internet not specific to the Qubes website. People go to other websites as suggested and start posting bogus strings of characters.

If you trust me, and if you trust that your channel of communication with me hasn’t been tampered with.

That’s why you use multiple sources, as suggested, so you can weed out
the bogus strings.

2 Likes

Since it will fairly readily be exposed as fake, you’ll be outed as a
malicious troll with dubious taste in T-shirts.

1 Like

The same way you try to find any info on the internet. Searching, browsing, asking, etc.

Yes, but don’t just search for the exact string that you believe to be the fingerprint. Marek made a good point about this on a previous draft of that page:

Here are some ideas for how to do that:

  • Download the key from different keyservers.
  • Use different search engines to search for the fingerprint.

Those two are not really useful. If you search for a fake key based on its fingerprint, you will get that very fake key. Searching with key name could be a better idea, but it’s far to easy to promote anything in a search engine, so I’d simply remove those two.

As a result, those two points didn’t make it into the documentation.

Well, then you have to decide whether you’re willing to continue your search or give up the search. That depends on how much time you have and how important it is to you, among other things. To be clear, it’s not like we’re imposing a scavenger hunt on folks for the heck of it. This is just the nature of trust in the context of public key cryptography without assuming that another existing piece of software you already have (such as an OS or browser) is appropriate as a sole root of trust. We’re essentially saying: “Do whatever you need to do to establish a root of trust in Qubes OS. Here are some tips and ideas for how you might do that.”

Most people have never thought about trust in the context of technology and see no need to establish a root of trust for themselves. They trust the computer they buy from a retailer, the OS that comes preinstalled on it, the certificates that come included in that OS and in whichever web browsers they use, and so on. By departing from that mainstream, whether you realize it not, you’ve taken on the responsibility of deciding trust for yourself rather than letting others decide it for you. Now you have to decide whether you trust Qubes OS and how to satisfy yourself that you’re installing the real deal. We’re just trying to offer some advice for how to go about doing that.

It’s just another way you could try to ensure you have the genuine fingerprint. Imagine that there might a malicious actor were trying to pass off his own fingerprint as the QMSK fingerprint. You’re not sure whether there is such a person, but you know there could be. Your goal is not to be deceived. What do you do? One thing you can do is ask others what they think the fingerprint is. If every answer matches and matches the same fingerprint you’re seeing from other sources you found yourself, then it becomes less and less likely that the hypothetical malicious actor is successfully deceiving you. If you’ve done lots of corroboration, it would have to be a massive deception. At some point, it becomes so far-fetched that you’re willing to accept that the fingerprint is genuine and proceed (or decide you can’t discern the genuine fingerprint and decline to proceed.)

Suppose the malicious actor has fed you a fake version of that page that includes such a list. Each link in the list has been crafted to present support for a fake QMSK fingerprint. You now willingly eat up all of those fake pieces of “evidence” and end up believing in a fake QMSK. This happened because you were fooled into accepting a bundle of “different sources” that all in fact came from a single source.

These questions suggest that you might be thinking about this the wrong way. It’s not some kind of pre-flight checklist where certain tasks must be completed, or else the plane will fall out of the sky. It’s more like a survival guide. Your goal is to survive, and that mainly depends on two things: your environment and you. If your environment is peaceful and temperate, survival might be easy. If there are predators everywhere, it might be difficult. If you’re more of a risk-taker, you might not think twice about drinking straight from that nice-looking stream. If you’re more risk-averse, you might take a pot and boil it first. If you’re about to pass out from dehydration, you might not have a choice. Asking whether you “can” or “have to” do certain items on this list is a bit like asking whether you “can” get a motorcycle, and whether you “can” ride without a helmet. Some people do it; others don’t. Some people will tell you it’s worth the risk; others will tell you it’s not. No one here knows you well enough to tell you how you should live your life or what kind of person you should be.

You certainly could. You could also present a lie as if it were fact. It happens all the time, hence “fake news,” “myth-busting,” and so on.

Lying, deception, secrets, trust: These things have existed and will continue to exist as long as there are humans (or, probably, any sufficiently-intelligent beings). There is no technical solution for all of it, only parts of it, and there will probably never be any technology that is completely invulnerable to tampering or exploitation.

The T-shirt was never suggested as some foolproof security mechanism. It’s literally just a T-shirt with the Qubes logo, slogan, and QMSK fingerprint. Some were handed out at a conference some years ago. Those T-shirts are out there now, in people’s closets and occasionally on their backs (maybe :P). You could easily print up your own batch of T-shirts with a fake QMSK fingerprint, but it wouldn’t be long before someone is holding two different T-shirts in their hands and staring down at two different fingerprints. That would probably cause quite a stir around here (at least for a day or two). Many of us would find that interesting. Ironically, it would probably lead to more people confirming that they have the genuine fingerprint by checking multiple other sources. The fake T-shirts probably wouldn’t fool anyone, unless someone were foolish enough to accept only that particular T-shirt as the one true source of trust for their digital life, which would be… inadvisable (hence why we spent the time to write a section of documentation to explaining why that’s a bad idea and what to do instead).

Sure. Isn’t it also an issue that some people claim that the Earth is flat, or a thousand other falsehoods? The principle is the same: There are truths, and there are lies, and each of us has to try to sort the former from the latter. This is the fundamental “human condition” for any epistemic being. The Qubes OS Project is no more immune to it than anything else.

As @fsflover pointed out, the error in this line of reasoning is that, if a malicious actor gets you to install a malicious OS that’s pretending to be Qubes OS, then any such “tool” within the OS itself will make sure that it passes its own authenticity check. It’s a bit like asking a corrupt organization to investigate itself. Of course their “finding” will be that they’re totally fine, because they’re corrupt!

2 Likes