This git repository is a central place for all security-related information about the Qubes OS Project. It includes the following:
- Qubes PGP keys (
keys/) - Qubes Security Bulletins (
QSBs/) - Qubes warrant canaries (
canaries/) - Qubes Bitcoin fund information (
fund/) - Qubes ISO digests (
digests/)
The files contained in this repository can be verified in two ways:
- By verifying the git commit tags (
git tag -v) - By verifying the detached PGP signatures, which are provided for the majority of files included here (e.g. individual QSBs, canaries, and other announcements)
All the keys used by the Qubes OS Project, including the keys used to sign files and commits in this repository, are signed by the Qubes Master Signing Key. Even though this key is also included in this repo, you should make sure to obtain the master key fingerprint via some other channel, as you can be sure that if you were getting a falsified Qubes Security Pack it would contain a falsified master key as well.
For more information about the Qubes Security Pack, including its history and rationale, and for detailed instructions for verifying its contents, please see its documentation page.