Verify If Qubes' Release Signing Key Is Signed By Master Signing Key On Windows?

Hello, I am completely new to GnuPG and, according to Qubes’ website, I must verify that my download of the release key is signed by the Qubes Master key. I don’t know how to do that on Windows. Here are the comparisons: https://anonfile.com/s6yfg7uanf/Capture_PNG, https://anonfile.com/naz3gbu8nf/Capture_PNG. Please help me!

Hi,

I can only help with Kleopatra so Please install that. It’s simpler because it allows you to just double click a .sig file.

Then download the Qubes OS iso and the .sig file. Double click the sig it will show you a signature of unknown trust that is normal because GnuPG by itself does not know if it can trust the key that made the signature. It will also show you the fingerprint. Compare that with the one shown on the website.

That is the most basic way.

Regards,
Andre

Hello. I have Kleopatra, but I don’t understand. According to the documentation, I’m not meant to install and verify the Qubes ISO until after I have verified my Release Signing Key (https://www.qubes-os.org/security/verifying-signatures/).
Also, somehow I got the trust level as full without doing anything, even though its trust level on GNU Privacy Assistant is ‘Unknown’: https://anonfile.com/v3seodu5n3/Capture_PNG, https://anonfile.com/Mbt8ocu3n4/Capture_PNG.
Furthermore, the website doesn’t say anything about a fingerprint, so how can I compare it? (https://anonfile.com/iet1o9u8n9/Capture_PNG) It said there should be a line saying it was signed by the Master Key (but I guess that’s for Linux).

Someone else take over please. It’s too much for me to unpack. Just install it. You have done your due diligance and if you downloaded it over HTTPS which I assume you are very secure anyway.

Maybe you can tackle one issue a day? You don’t have to do it all at once.

I’m sorry, but your instructions kind of conflict with the documentation, which is suspicious and thus I can’t install it immediately. I hope you understand.

Never mind about my other reply to this post. From this part of the Gpg4win Compendium (https://anonfile.com/Pca6x5ucn0/2Capture_PNG), I’m going to assume that all you need to do to check the signature is apply ‘Decrypt/Verify’ on the key. Unfortunately, when I click on it, it says it ‘contains certificates and cannot be decrypted or verified’ (https://anonfile.com/56i7xbubn6/Capture_PNG). Just help me with this, and I’ll finally be done with stage 2.

NEVER MIND, I DID IT! TURNS OUT YOU CAN USE WINDOWS POWERSHELL TO VERIFY! THANK YOU LINUX MINT TUTORIAL! https://forums.linuxmint.com/viewtopic.php?f=42&t=291093 (And thank God I didn’t install it to my computer, it failed the integrity check.)