Signing Keys

This page lists keys that are relevant to me and, when available, evidence that the fingerprints are accurate.

¶ Qubes Master Signing Key (QMSK)

427F11FD0FAA4B080123F01CDDFA1A3E36879494

This key is used to certify other keys used by the QubesOS project.

This was repeated identically in the following locations:

• GitHub-controlled sources

  • The key provided in my QubesOS installation
  • A recent Qubes Security Bulletin (QSB) I received through the RSS feed.

  • QubesOS documentation

    • A 2018 snapshot on the Wayback Machine matches

• This superuser Q&A

  • The text from this post was also displayed in video form, which would be more difficult to change automatically (though still possible).
  • Caveat: the person who asked the question never posted anything else, and the person who replied did not actually confirm the key, simply provided information about PGP in general. This is still a useful data point.

• This Reddit post, as well as the contained links

  • Similar to the superuser question, the initial poster has made few other posts. However, in this case the replier andrewdavidwong confirmed the key (through a link to a personal website which contained identical information). This user is an active member of the subreddit, has a pinned post, and the username matches the name of the person listed as the community manager on the Qubes OS website.

¶ QubesOS Code Signing

0064428F455451B3EBE78A7F063938BA42CFA724

This key is used to sign tags and/or commits that represent a specific release for a specific repository. In some cases, it is also used to sign intermediate commits.

It is certified by the Qubes Master Signing Key.

¶ Xen Signing Key

23E3222C145F4475FA8060A783FE14C957E82BD9

This key is used to sign tags that represent a specific Xen release. I have been unable to locate any useful evidence that this key is accurate. So it's "trust on first use" right now.

¶ Purism Signing Key

8735540225E98BDBC82491B41E9C3CA91AE25114

This key is used to sign commits in Purism's firmware release repository. I have been unable to locate any useful evidence that this key is accurate. So once again, "trust on first use".