Prior to using Qubes, I was using PGP with a hardware key as the ultimate trust. I used the key certification this way: once I have gained enough confidence about some public key I downloaded online, I will certify (sign) it with my PGP key on the hardware key.
Now that I moved to Qubes, I found that split-gpg 1 and 2 specifically forbids this usage. Why? The documentation didn’t discuss at length, only stating that
Therefore, it cannot differentiate between e.g. signatures of a piece of data or signatures of another key.
But why is that a problem? I can understand that, if the OS in which gpg is invoked is compromised, then gpg can be altered to always support signed key regardless of whether it’s genuine. But we have the public key with the signature as data, and we have an hypothetically uncompromised private key protected air-gapped. Thus, we can always move the data to another machine and verify there, which is very easy in Qubes: just open a new qube and check the key certification there; and the compromised VM can’t fake that, under the hypothesis that the private key is protected.
Therefore, I don’t understand the incentive behind the prohibition of key certification, and hope to discuss it.
Thanks in advance.
1 Like
Moreover, I also want to discuss that, if there’s a decent reason to forbid this usage, then how should we do this alternatively, certifying keys with an ultimate private key airgapped?
I can think of one alterntive: after we are confident enough about some public key we downloaded, instead of certifying it, we record its hash (Fingerprint) maually in the air-gapped vault Qube. However, this of course is rather error-prone, and it’s perhaps easier than we think to forge data of similar hash (e.g. only a few characters different from the target hash, or only the same first several characters).
Just to clarify :
Are you saying the issue is you can not use your hardware key with Qubes?
Which is a topic I am interested in.
Or there is a problem doing key verification with split gpg?
I do no-t use Split-gpg.
oops, What I should have done, duckduckgo, search
qubes documentation, hardware gpg key , how to use with dom0
Which leads to:
To use a hardware GPG key with dom0 in Qubes OS, you need to attach the USB device to a disposable VM and then run the necessary GPG commands within that VM. This allows you to securely manage your GPG keys without exposing dom0 directly to the hardware. Make sure to use the command qvm-usb attach to connect the device to the disposable VM.
ajmartinez.com
Read the Docs
Using a Hardware GPG Key with dom0 in Qubes OS
To securely use a hardware GPG key with dom0 in Qubes OS, follow these steps:
Step-by-Step Instructions
- Attach the USB Device
Use the command to attach your hardware GPG key to a disposable VM:
qvm-usb attach <disposable-vm-name> <usb-device>
- Access the Disposable VM
Open the disposable VM where the USB device is attached.
- Run GPG Commands
Inside the disposable VM, you can run GPG commands to manage your keys. For example, to check the status of the GPG card, use:
gpg --card-status
Important Notes
- Security: This method keeps dom0 secure by isolating the hardware interaction within a disposable VM.
- Disposable VMs: These VMs are ephemeral, meaning they do not retain data after they are closed, enhancing security.
Example Command Usage
| Command |
Description |
qvm-usb attach disp4632 sys-usb:2-1 |
Attaches the USB GPG key to the disposable VM named disp4632. |
gpg --card-status |
Displays the status of the GPG card in the disposable VM. |
By following these steps, you can effectively use your hardware GPG key with dom0 while maintaining the security features of Qubes OS.
doc.qubes-os.org ajmartinez.com
Explore More
I need to drink more coffee before writing.
That’s not what @hewhois is asking. But it leads me to another question, why duckduckgo gave you this link:
https://parulin-qubes-doc.readthedocs.io/en/tutorials/project-security/security-pack.html
…instead of the official one? 
I can’t reproduce with the same search.