Include various Qubes GPG keys in the distribution, not just the Qubes Master Signing Key

QubesOS / qubes-issues

The Qubes OS Project issue tracker

https://www.qubes-os.org/doc/issue-tracking/

541 stars 48 forks source link

Include various Qubes GPG keys in the distribution, not just the Qubes Master Signing Key #4292

Open DemiMarie opened 6 years ago

DemiMarie commented 6 years ago

Qubes OS version:

R4.0

Affected component(s):

All templates

Steps to reproduce the behavior:

Look for the Qubes GPG keys in the distribution

Expected behavior:

Many keys are found, which reduces the need to import keys (GPG cannot check a signature on a key without importing it).

Actual behavior:

Only the Qubes Master Signing Key is found

General notes:

Related issues:

andrewdavidwong commented 6 years ago

Which other keys do you think should be included, and for what purposes?

adrelanos commented 6 years ago

Look for the Qubes GPG keys in the distribution

You mean sudo apt-key fingerprint or user's gpg --fingerprint?

DemiMarie commented 6 years ago

@andrewdavidwong Specifically, the signing key for the ISOs. This is to prevent someone who is reinstalling from having to import keys (GPG requires that a key be imported before its signatures can be checked).

marmarek commented 6 years ago

Keys are already shipped in /etc/pki/rpm-gpg. It may be a good idea to copy them also to some more obvious location.
I think we should not import any keys to user's keyring by default and definitely not set owner trust on any of them by default. User's gpg keyring is what user set, for specific purpose in that system (be it email VM, code signing VM or else).

andrewdavidwong commented 5 years ago

Documented in Verifying Signatures. Related issue: #2544.