deeplow
commented
3 months ago I had missed this in my review of https://github.com/freedomofpress/securedrop-workstation-docs/pull/228. I think it is safe to assume that the previous instruction only pointed to the Qubes ISO verification instructions and the "latest" branch 404s.
Adds a step to confirm that the ISO matches the DIGESTS. Assuming the user didn't follow the Qubes OS verification link, under the previous scenario, a compromised ISO could still be malicious, even if the DIGESTS do match.