On Sat, Mar 27, 2021 at 9:15 PM Ulrich Windl < [email protected]> wrote:
> On 3/27/21 2:50 AM, Franz wrote: > > > > > > On Fri, Mar 26, 2021 at 9:10 AM Franz <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hello, > > everything seems to work fine: > > > > gpg2 --check-signatures "Qubes OS Release 4 Signing Key" > > pub rsa4096 2017-03-06 [SC] > > 5817A43B283DE5A9181A522E1848792F9E2795E9 > > uid [ full ] Qubes OS Release 4 Signing Key > > sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing > Key > > sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key > > gpg: 2 good signatures > > > > gpg2 -k "Qubes OS Release" > > pub rsa4096 2014-11-19 [SC] > > C52261BE0A823221D94CA1D1CB11CA1D03FA5082 > > uid [ full ] Qubes OS Release 3 Signing Key > > pub rsa4096 2017-03-06 [SC] > > 5817A43B283DE5A9181A522E1848792F9E2795E9 > > uid [ full ] Qubes OS Release 4 Signing Key > > > > but when I try to verify get unexpected error, even after > > downloading two times the files, and even after trying with Fedora > > and Debian: > > > > gpg2 -v --verify qubes-release-4-signing-key.asc > > Qubes-R4.0.4-x86_64.iso > > gpg: verify signatures failed: Unexpected error > > > > > > I found the problem: I downloaded > > Qubes release signing key > > rather than > > Detached PGP signature > > > > Well frankly, IMO the name of the wrong file seems more appropriate than > > the right one. > > How is "Detached PGP signature" supposed to be easy to understand? :-) > > PGP/GPG basics: Normally when signing a file, the file is changed > (signature appended (basically)). With a detached signature, the signed > file is unchanged, and the signature is a separate "detached" file. > That's a detached signature. > > Of course to check a signature you need the signing key as well as the > detached signature. > > I understand your point, you are right, also, really on item 3 of the verification tutorial there is written "detached PGP signature file" even if in normal character rather than bold. But, during my efforts I checked this paragraph many times without noting the critical wording detached PGP signature file. So it is just my fault, OK. But it is sad that Qubes remains, after so many years a system organized by developers for developers. I mean people that think that learning to use computers is something important. But the majority of potential users do not have the time for that. I suggested a friend to use Qubes. He is an investment manager, so naturally interested in maximum security. He was even able to install Monero cryptocurrency wallet and node on a linux computer, so he is not adverse to using computers. But he replied to me: I tried to use Qubes, but it is too much for me, I cannot use it. I love Qubes and always found a way to invest the time necessary to get it working and to ask your kind help when necessary, but it would help to add a tutorial called: Qubes the easy way there explaining all the basics, without options. I would begin telling that Qubes is much easier with a few computer models and listing 5 of the best. This alone saves a lot of time. Then, the verification process is the hardest part to digest. Would it be possible to avoid it in the following way: I know your web servers may be compromised and also I am comfortable with the mantra that we do not trust infrastructure. But you will know if your servers have been compromised because many people would claim they are unable to verify the compromised download. So what about if "Qubes the easy way" just includes subscribing to a mailing list that only alerts if servers have been compromised. So, if after a couple of weeks or one month no alert is received, then it is reasonable to think that the download files and the installation are secure enough. I suppose this would be better than avoiding any verification, even if I used Qubes since the first beta release about ten or more years ago and never got news that Qubes servers had been compromised. So this risk seems almost nonexistent. But who knows the future... for the worst case the email alert would help. What do you think? This is just an idea, there may be a more proper way to alert people. These two, the computer choice and the verification are the most critical parts, but there may be others to add that I do not remember now. Finally, many many thanks for your replies and dedication and sorry for not being a developer at your level. Best -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qDavvJKY7DsbZVF9pHY7-tfs3A1AcbyQBr8nT-x6Bg40Q%40mail.gmail.com.
