Noob trying to verify Qubes OS with GPGTools

imassagenorfolk's Avatar

imassagenorfolk

21 Jul, 2017 10:49 AM

Hello everyone,

As you may gather from the subject - I am trying to verify the current stable release of Qubes OS using GPG Tools. I have never touched anything to do with this sort of thing ever but I have some experience in other areas of IT and I wish to learn about security and cryptography.

However I always, after about 5 attempts, end up with a failed verification and I don't know whether I am doing something wrong, or indeed I am doing something right and the download itself is actually dodgy. I was hoping someone here could help me through this, maybe point out what I am doing wrong or otherwise.
Let me explain what I have tried:

  1. Downloaded GPGSuite current stable version. Made sure my OS (Mac OSX) is up to date too.

  2. Verified downloaded GPGSuite by using the SHA256 checksum method as mentioned here: https://gpgtools.tenderapp.com/kb/how-to/how-to-verify-the-download... - all checks out!
    Did the encrypted email tutorial in the docs and now have my own key in GPG Keychain.

  3. Got Qubes Master Key, compared signatures to other sources throughout the web as recommended by Qubes themselves. Seems to be legit. Now it is within GPG Keychain. Also made sure I have OpenPGP tools within the right-click menu. Made the 'Validity' of the Master Key ultimate.

  4. Downloaded Qubes OS 3 Release Signing Key, I also put this into GPG Keychain. Nothing is mentioned anywhere in any docs or any 'googleing' about verifying this key too which I find strange, but I continue.

  5. Downloaded Qubes OS iso file (the one I want to verify!). Put in folder with both keys mentioned above. Right clicked on 'OpenPGP: Verify Signature of file' option. End up with 'Verfication: FAILED' message :-/

  6. Try using Terminal instead of GUI (as talked about here: https://www.qubes-os.org/security/verifying-signatures/). End up with error message and not 'good signature' message as needed. Also tried putting Master Key, Release key and ISO file onto desktop and right clicked verified as seen in a youtube tutorial I saw.

  7. Repeated above steps with no different results, cried. Googled 'How to verify Qubes OS using GPGSuite/Mac OSX' which didn't reveal much else than what I have already looked at. cried some more. Saw that there is lots of tutorials on how to install Qubes OS but all seem to gloss over the verifying part.

Is there anyone that can help me???? Have I missed some important step out? Is there a tutorial for this somewhere that I somehow missed in my googling? Did I actually do it right but the Qubes OS download i have is dodgy? Please help :-)

  1. Support Staff 1 Posted by Steve on 21 Jul, 2017 06:23 PM

    Steve's Avatar

    Hi imassagenorfolk,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    You need to download the signed file (which you did) + the signature. To download the signature, visit https://www.qubes-os.org/downloads/ and right click the Signature button. Then select save target as... (or sth similar, that's a loose translation from german firefox UI) and save it to your downloads folder. The resulting file should be called Qubes-R3.2-x86_64.iso.asc.

    Make sure to import both keys from qubes into GPG Keychain.

    Then again via right-click > services try to verify using GPGServices.

    Let me know if this worked as expected now.

    Kind regards,
    steve

  2. Support Staff 2 Posted by Steve on 18 Aug, 2017 01:11 PM

    Steve's Avatar

    Closing, since no further user feedback was received. Should your problem persist, feel free to re-open this discussion any time.

    All the best, steve

  3. Steve closed this discussion on 18 Aug, 2017 01:11 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac