I’m trying to find the documented Qubes Release Signing Key Fingerprints on a website or somewhere just like the Qubes Master Signing Key did.
Where can I find these?
I’m trying to find the documented Qubes Release Signing Key
Fingerprints on a website or somewhere just like the Qubes Master
Signing Key did.
The Release Signing Key is signed by the Maser Signing Key. So if you
successfully verified the Qubes Master Signing Key you can use it to
verify the Release Signing Key…
user@app-vault:~$ gpg --check-signatures "Qubes OS Release 4 Signing Key"
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
gpg: 2 good signatures
See also Verifying signatures | Qubes OS
2 Likes
I get that part but I’m making another model (tutorial) on how to verify signatures without having to use the gpg console, hence why I’m looking for the release key fingerprints.
I get that part but I’m making another model (tutorial) on how to
verify signatures without having to use the gpg console, hence why
I’m looking for the release key fingerprints.
I don’t think such places exist due to it being redundant.
Using the gpg method, we know the fpr is:
5817 A43B 283D E5A9 181A 522E 1848 792F 9E27 95E9
That’s also the one shown on the Qubes documentation page.
You could then use a search engine to look for it elsewhere (because we
know it’s the correct one). Unfortunately all I find are
- coincidental mentions in qubes-issues
- another one on StackExchange
… that’s about it. So I don’t think you can get around using gpg.
The following discussions also provides some ideas of where to look for the fingerprint:
1 Like