/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add better links / info about release signing keys to Downloads & Security page #1114

Closed
bnvk opened this Issue Aug 11, 2015 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.1
3 participants
@bnvk @unman @marmarek
@bnvk

bnvk commented Aug 11, 2015

While trying to verify the Qubes-R3.0-rc2-x86_64-DVD.iso I realized the signature was difference from the master signing key I had imported to my keychain. I found no mention of the key ID that shows up in . After chatting with Michael, I learned there was separate key for just release signing.

I think we can improve upon the documentation and instructions in this respect!
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Aug 14, 2015

Member

There's already a link to VerifyingSignatures, where that issue is explained in some detail.
Do you mean that some of that material should be moved directly to the Download Page, or that the information on that page isn't clear enough?
Member

unman commented Aug 14, 2015

There's already a link to VerifyingSignatures, where that issue is explained in some detail.
Do you mean that some of that material should be moved directly to the Download Page, or that the information on that page isn't clear enough?
@bnvk

This comment has been minimized.

Show comment
Hide comment
@bnvk

bnvk Aug 14, 2015

@unman I think if we use unique signing keys for each release, those keys should be linked to on the Download Page. I read and now re-read the VerifyingSignatures page, the importing Qubes signing keys section does explain things, eventually. I'm used to verifying packages with one key, but have never gone through a signing verification process like this with a master signing key. White I understand the reasoning for the way it is done (and thoroughly appreciate it), it also is a lot of info to take in and follow for a mildly technical user like myself. I thinks this could be improved upon a bit!

bnvk commented Aug 14, 2015

@unman I think if we use unique signing keys for each release, those keys should be linked to on the Download Page. I read and now re-read the VerifyingSignatures page, the importing Qubes signing keys section does explain things, eventually. I'm used to verifying packages with one key, but have never gone through a signing verification process like this with a master signing key. White I understand the reasoning for the way it is done (and thoroughly appreciate it), it also is a lot of info to take in and follow for a mildly technical user like myself. I thinks this could be improved upon a bit!

@marmarek marmarek added C: doc P: minor labels Sep 2, 2015

@marmarek marmarek added this to the Release 3.1 milestone Sep 2, 2015

@unman unman referenced this issue Sep 3, 2015

Closed

Release signed checksums along with directly signed ISOs #1077

@woju woju closed this in woju/qubesos.github.io@b8ab7c4 Oct 13, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment