Yum.qubes-os.org Template Verification

I have downloaded a template file (qubes-template-fedora-34-minimal-4.0.6-202110020209.noarch.rpm) from Index of /r4.0/templates-itl/rpm/.
I note that there may be some gpg signature information in Index of /r4.0/templates-itl/repodata/ however I can not find any specific signature file for the file I have downloaded.
I have verified the sha256 check sum in one of the repodata files matches my download but do not know how to verify the repodata files themselves.

I have already installed qubes-template-fedora-34-4.0.6-202110020209.noarch.rpm (i.e. the full version as apposed to the minimal version) using the Dom0 shell command which does the verification automatically, however it took so long to download that file I decided to try downloading the next one manually first. I don’t want to download that file again if I can avoid it, besides there has got to be a way of verifying this template file that I have already downloaded.
Please let me know if I missing something, or what I need to do.
Thank you for any good advice.

Wrong link for the rpm download. Should have been Index of /r4.0/templates-itl/rpm/. (Edited/corrected in original post.)

Many problems that people have in Qubes are actually not Qubes specific.
This is one of those.
You can find many guides online to checking the signature on a RPM
package. The signature is embedded in the package.

rpm -K will check the hash and the PGP signature - it will report OK
if both are correct and the signing key is in RPM’s database.
rpm -qpi will give you all sorts of useful information, including the
key used to sign the package.

1 Like

Thank you very much. I new it had to be easy but I did not realise it was that easy or that I should have assumed that it was no different to other linux operating systems. I was expecting to have to use some gpg or gpg2 command and signature file.

It would not hurt to have a tip in a read me file in the download directory on how to verify the files. Sure people should “just know”, and it not the responsibility of the qubes-os project, but when it so easy to turn a frustrating time consuming experience into a pleasant experience with a little tip/reminder I think it is worth doing.

Thank you again fro your kind reply.

1 Like

It takes many users a long time to realise that many of the issues with
dom0 or with templates, are resolved just as you would with a standard
Linux system.
If you “get” this, then you are well ahead.

There are, of course, some Qubes specific issues, and resolutions.

Most people will be using package managers, rather than
downloading by hand, and the checks are built in there.

Thank you for your nice response.