Qubes release signing key
rather than
Detached PGP signature
Well frankly, IMO the name of the wrong file seems more appropriate than the right one.
How is “Detached PGP signature” supposed to be easy to understand? Detached from what? Well, I am sure it is detached from something, but I lost hours for nothing and other users may simply avoid verifying the iso if it is too complicated.
Once there was only one file that could be downloaded. Well I understand the additional files may have some additional use, but there are a lot of people that are not interested in that and just need an easy and fast way to get it going.
So perhaps it may be more appropriate to add to the detached file also the wording “use this file to follow the Qubes verification tutorial”
Best
Franz
I found the problem: I downloaded
Qubes release signing key
rather than
Detached PGP signature
Yes, we already have a Troubleshooting FAQ entry for this situation:
(It looks like GPG may have slightly changed their wording from "unexpected data" to "Unexpected error," but it should still be close enough to point you in the right direction.)
Well frankly, IMO the name of the wrong file seems more appropriate than the right one.
No, a key is completely different from a detached signature file. It would be incorrect to call the signature file a key. It would actually be *more* confusing, since then there would be two different types of things called "keys."
How is "Detached PGP signature" supposed to be easy to understand?
Detached from what?
Detached from the thing being verified (in this case, the ISO) as opposed to being included (as in a clearsigned text file, such as our signed hash values). That's just what it's called in the PGP/GPG world:
Well, I am sure it is detached from something, but I lost hours for nothing and other users may simply avoid verifying the iso if it is too complicated.
That's why we provide such detailed step-by-step instructions and a troubleshooting FAQ at the bottom of the page:
Once there was only one file that could be downloaded.
No, that was never the case with Qubes ISO verification. At minimum, you'd theoretically need two things: The PGP key and the clearsigned data (data + sig in a single file). However, in all of my years using and working on Qubes, I can't recall ever seeing a PGP signature included in an ISO as a single file (i.e., a "clearsigned ISO"). Not sure if it's even possible. Even if it were, it may not be desirable, since the ability to handle the ISO on its own is useful. (This is why we also include signed hash values as an alternative verification method.)
Well I understand the additional files may have some additional use
It's not like we're including extra files for the heck of it. All of the files we're providing to you are necessary for secure verification. None of them are optional in that process. Please carefully read this page again:
> but there are a lot of people that are not interested in that and just need an easy and fast way to get it going.
For a user who primarily seeks security, it generally doesn't make sense to unsecurely install a high-security OS, since this can easily be a self-defeating exercise. Therefore, we our main focus is on high-security verification.
Nonetheless, we also understand that different users seek varying levels of security and that some are attracted to Qubes for primary reasons other than security (e.g., control and compartmentalization, perhaps with security as a bonus). We understand that such users may appreciate another verification method that trades a small amount of security in exchange for a great amount of convenience, and there has been some exploration on this front:
So perhaps it may be more appropriate to add to the detached file also the
wording "use this file to follow the Qubes verification tutorial"
Sure, if it's possible to include extra comment text that doesn't interfere with the signature, it wouldn't hurt to point to the guide. I'll ask the team about this.
Yes, you can add a comment, or multiple comments using the handy
`--comment ` parameter.
Whether someone who wont read the detailed guides, even after hitting
problems, will check inside the signature file is a moot point.
And in the present case, it isn't clear that the user downloaded the sig
file but didn't use it.
I found the problem: I downloaded
Qubes release signing key
rather than
Detached PGP signature
Well frankly, IMO the name of the wrong file seems more appropriate than the right one.
How is "Detached PGP signature" supposed to be easy to understand?
PGP/GPG basics: Normally when signing a file, the file is changed (signature appended (basically)). With a detached signature, the signed file is unchanged, and the signature is a separate "detached" file. That's a detached signature.
Of course to check a signature you need the signing key as well as the detached signature.
I understand your point, you are right, also, really on item 3 of the verification tutorial there is written “detached PGP signature file” even if in normal character rather than bold. But, during my efforts I checked this paragraph many times without noting the critical wording detached PGP signature file. So it is just my fault, OK.
But it is sad that Qubes remains, after so many years a system organized by developers for developers. I mean people that think that learning to use computers is something important. But the majority of potential users do not have the time for that. I suggested a friend to use Qubes. He is an investment manager, so naturally interested in maximum security. He was even able to install Monero cryptocurrency wallet and node on a linux computer, so he is not adverse to using computers. But he replied to me: I tried to use Qubes, but it is too much for me, I cannot use it.
I love Qubes and always found a way to invest the time necessary to get it working and to ask your kind help when necessary, but it would help to add a tutorial called:
Qubes the easy way
there explaining all the basics, without options.
I would begin telling that Qubes is much easier with a few computer models and listing 5 of the best. This alone saves a lot of time.
Then, the verification process is the hardest part to digest. Would it be possible to avoid it in the following way:
I know your web servers may be compromised and also I am comfortable with the mantra that we do not trust infrastructure. But you will know if your servers have been compromised because many people would claim they are unable to verify the compromised download. So what about if “Qubes the easy way” just includes subscribing to a mailing list that only alerts if servers have been compromised. So, if after a couple of weeks or one month no alert is received, then it is reasonable to think that the download files and the installation are secure enough.
I suppose this would be better than avoiding any verification, even if I used Qubes since the first beta release about ten or more years ago and never got news that Qubes servers had been compromised. So this risk seems almost nonexistent. But who knows the future… for the worst case the email alert would help. What do you think? This is just an idea, there may be a more proper way to alert people.
These two, the computer choice and the verification are the most critical parts, but there may be others to add that I do not remember now.
Finally, many many thanks for your replies and dedication and sorry for not being a developer at your level.
Best
Detached from what? Well, I am sure it is detached from something, but I lost hours for nothing and other users may simply avoid verifying the iso if it is too complicated.