Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include various Qubes GPG keys in the distribution, not just the Qubes Master Signing Key #4292

Open
DemiMarie opened this issue Sep 9, 2018 · 5 comments
Open

Include various Qubes GPG keys in the distribution, not just the Qubes Master Signing Key #4292

DemiMarie opened this issue Sep 9, 2018 · 5 comments
Labels
C: other P: minor Priority: minor. The lowest priority, below "default." T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@DemiMarie
Copy link

Qubes OS version:

R4.0

Affected component(s):

All templates

Steps to reproduce the behavior:

Look for the Qubes GPG keys in the distribution

Expected behavior:

Many keys are found, which reduces the need to import keys (GPG cannot check a signature on a key without importing it).

Actual behavior:

Only the Qubes Master Signing Key is found

General notes:

Related issues:
@andrewdavidwong andrewdavidwong added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. C: other P: minor Priority: minor. The lowest priority, below "default." labels Sep 9, 2018
@andrewdavidwong andrewdavidwong added this to the Far in the future milestone Sep 9, 2018
@andrewdavidwong
Copy link
Member

Which other keys do you think should be included, and for what purposes?

@adrelanos
Copy link
Member

Look for the Qubes GPG keys in the distribution

You mean sudo apt-key fingerprint or user's gpg --fingerprint?

@DemiMarie
Copy link
Author

@andrewdavidwong Specifically, the signing key for the ISOs. This is to prevent someone who is reinstalling from having to import keys (GPG requires that a key be imported before its signatures can be checked).

@marmarek
Copy link
Member

  1. Keys are already shipped in /etc/pki/rpm-gpg. It may be a good idea to copy them also to some more obvious location.
  2. I think we should not import any keys to user's keyring by default and definitely not set owner trust on any of them by default. User's gpg keyring is what user set, for specific purpose in that system (be it email VM, code signing VM or else).

andrewdavidwong pushed a commit to QubesOS/qubes-doc that referenced this issue Aug 18, 2019
Point out that release keys are included in Qubes installations
a93b019 
QubesOS/qubes-issues#4292
@andrewdavidwong andrewdavidwong mentioned this issue Aug 18, 2019
Open
@andrewdavidwong
Copy link
Member

Documented in Verifying Signatures. Related issue: #2544.

@andrewdavidwong andrewdavidwong removed this from the Release TBD milestone Aug 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: other P: minor Priority: minor. The lowest priority, below "default." T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@marmarek @adrelanos @DemiMarie @andrewdavidwong