I have two questions regarding the security aspects of the Qubes operating
system security.
Firstly, I am seeking clarification on the security measures surrounding Qubes Backup. I understand backups can be stored remotely, provided a strong password is used; however, I have been unable to locate detailed discover a Google Chat conversation on the subject, but it dated back to 2013…
Secondly, I am attempting to ascertain whether keys belonging to the Qubes security team are available, signed by the Qubes Master Signing Key. The verification canary guide suggests downloading the Qubes Security Team files from GitHub and then validating the signatures using keys that have not yet been trusted, but it shows [full] if they are. I wonder is there a way to download them separately (signed by QMSK of course), because I don’t trust this GitHub verification with my level of knowledge (small).
Note that when you follow this guide, you are not trusting GitHub in any way, shape, or form. Rather, you are obtaining untrusted data from GitHub, which you are then authenticating on your own local machine using PGP. If the authentication succeeds, you then know that the data is trustworthy (because you authenticated it on your own machine, not because it came from GitHub). If GitHub were to give you bad data, the authentication check would fail.
It makes no difference if the data comes from GitHub or any other source. GitHub is merely functioning as a convenient file host, since the data you need isn’t on your computer yet, and you need to get it from somewhere.
In other words, it’s not a GitHub verification method. It’s a PGP verification method, where the data being verified happens to be stored on GitHub.