Skip to content

Commit

Permalink
fix: inform how to verify the maintainer's key
Browse files Browse the repository at this point in the history 
For: #37
  • Loading branch information
@ben-grande
ben-grande committed Mar 23, 2024
1 parent fcc155f commit cc2d547
Showing 1 changed file with 25 additions and 4 deletions.
29 changes: 25 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ You current setup needs to fulfill the following requisites:
If you made a fork, fork the submodule(s) before clone and use your remote
repository instead, the submodules will also be from your fork.

3. Copy the [maintainer's signing key](https://github.com/ben-grande/ben-grande/raw/main/DF3834875B65758713D93E91A475969DE4E371E3.asc)
to your text editor and save the file to `/home/user/ben-code.asc`.

### Dom0 Installation

Before copying anything to Dom0, read [Qubes OS warning about consequences of
Expand All @@ -91,15 +94,33 @@ this procedure](https://www.qubes-os.org/doc/how-to-copy-from-dom0/#copying-to-d
"${qube}" /usr/lib/qubes/qfile-agent "${file}"
```

2. Acquire the maintainer signing key by other means and copy it to Dom0.

3. Verify the [commit or tag signature](https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-signatures-on-git-repository-tags-and-commits) and expect a good signature, be surprised otherwise:
2. Pass the maintainer's key from the qube to Dom0:
```sh
qvm-run --pass-io "${qube}" -- "cat /home/user/ben-code.asc" | tee /tmp/ben-code.asc
```

3. Verify that the key fingerprint matches
`DF38 3487 5B65 7587 13D9 2E91 A475 969D E4E3 71E3`. You can use
Sequoia-PGP or GnuPG for the fingerprint verification:
```sh
gpg --show-keys /tmp/ben-code.asc
# or
#sq inspect ben-code.asc
```

4. Import the verified key to your keyring:
```sh
gpg --import /tmp/ben-code.asc
```

5. Verify the [commit or tag signature](https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-signatures-on-git-repository-tags-and-commits)
and expect a good signature, be surprised otherwise:
```sh
git verify-commit HEAD
git submodule foreach git verify-commit HEAD
```

4. Copy the project to the Salt directories:
6. Copy the project to the Salt directories:
```sh
~/QubesIncoming/"${qube}"/qusal/scripts/setup.sh
```
Expand Down

0 comments on commit cc2d547

Please sign in to comment.