Verifying signatures for Qubes OS

---

NOTE: For all of the commands below, using gpg seems to work just as well as gpg2.

1. Fetch the Qubes Master Signing Key:

gpg2 --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc

2. List the keys you currently have and find the ID of the QMSK:

gpg2 -k

3. Verify the fingerprint of the QMSK by comparing it to multiple independent sources:

gpg2 --fingerprint <QMSK_ID>

4. Set the QMSK's trust level to "ultimate":

gpg2 --edit-key <QMSK_ID>

The above command opens a little GPG REPL. In there, do:

fpr
trust
q

And then confirm that the trust level was applied correctly:

gpg2 -k "Qubes Master Signing Key"

5. Download the release signing key that corresponds to the ISO you downloaded. (Usually, the signing key is listed right below the ISO file link on the downloads page.) Be sure to replace the dummy filename below with the signing key's actual filename.

gpg2 --keyserver-options no-self-sigs-only,no-import-clean --import path/to/qubes-release-X-signing-key.asc

6. Confirm that the release signing key was signed by the master key:

gpg2 --check-signatures "Qubes OS Release X Signing Key"

7. Make sure that the release signing key has "full" trust:

gpg2 -k "Qubes OS Release X Signing Key"

8. Download the hash values that correspond to the ISO you downloaded. (Usually, the hash values file is listed right below the ISO file link on the downloads page.) Be sure to replace the dummy filename below with the .DIGESTS file's actual filename.

sha512sum -c path/to/Qubes-X-x86_64.iso.DIGESTS

You should see something like:

Qubes-X-x86_64.iso: OK
sha512sum: WARNING: 23 lines are improperly formatted

9. Verify that the .DIGESTS file was signed by the release signing key:

gpg2 -v --verify path/to/Qubes-X-x86_64.iso.DIGESTS

Sources

• mailing lists
• discussion forums
• social media #1
• social media #2
• personal websites
• slides from a talk
• t-shirt
• recording of a presentation
• "Verifying signatures" @ Qubes