Revise READMEs, add self as witness, sign Joanna's key, and witness Qubes 3.2

README.md

@@ -1,53 +1,52 @@
-Public Database of Software Hashes
-===================================
+A Public Database of Software and Firmware Hashes
+=================================================
 
-# Problem with software authenticity
+## The problem of software authenticity
 
-We all use software. Everywhere. From our servers, to personal computers and our
+We all use software. Everywhere. From our servers, to our personal computers and
 phones (which are becoming extensions of our brains, BTW). From our Mars
-landers, to cars, to home routers, TVs, and even toasters. From medical MRIs, to
+landers to cars, home routers, TVs, and even toasters. From medical MRIs to
 pacemakers.
 
 Yet, curiously, the dramatic majority of software and firmware, especially open
 source software, can not be _authenticated_ in any meaningful way. By
 _authenticating_ we understand a process of establishing the authorship _and_
 integrity of the software.
 
-It's probably quite obvious what does _integrity_ mean? Integrity assurance
-guarantees that the software has not be tampered nor replaced anywhere between
-its author and its users.
+What does _integrity_ mean? Integrity guarantees that the software has not been
+tampered with or replaced anywhere between its author and its users.
 
 It might be less obvious that integrity does not imply trustworthiness,
-understood as security or non-harmfulness. Indeed, there is nothing that could
-stop an author from producing either incidentally buggy or intentionally harmful
+understood as security or non-harmfulness. Indeed, there is nothing that stops
+an author from producing either incidentally buggy or intentionally harmful
 software and properly signing it with his or her key.
 
 Moreover, there is nothing that stops others from generating their own keys,
 adding whatever description strings to the keys (e.g. "Linux Kernel signing
 key"), and using these keys to sign modified copies of the software. In order to
 protect against such attacks, the software author needs to somehow ensure that
-all the interested people could easily find out which key is the
-original signing key. This is typically achieved by publishing the keys in
+all the interested people can easily find out which key is the
+original signing key. This is typically achieved by publishing the key in
 various places, such as on twitter, keybase.io, etc.
 
 But what if the machine on which the author signs their software gets
 compromised? Of course the attacker could then sign modified copies of the
 software. More importantly, the attacker can _selectively_ feed backdoored
-software to only some of the users, to minimize chances of the attack discovery.
+software to only some users, to minimize chances of the attack being discovered.
 
 All the above scenarios are of concern when the original author has made an
 effort and actually attempted to sign their software. Yet, most of the software
 is offered without any kind of signature for verification.
 
-# Proposed solution
+## The proposed solution
 
 Ideally we would like to have a simple oracle that answers a simple question: is
 this software safe to install and run? Unfortunately, as briefly explained above
 it is not possible to provide any generic mechanism to answer such questions
 (even if the author employs some scheme for signing, not to mention if they
 don't).
 
-What we, as a community, could do, however, is to attempt to build a publicly
+What we, as a community, can do, however, is to attempt to build a publicly
 available database of software _hashes_. The database is a collection of
 statements from various witnesses of the following form:
 
@@ -84,7 +83,7 @@ The following command should be used to create the `hash` file:
     sha256 <file_to_hash> > hash
 
 
-# Example
+## Example
 
     codehash.db/
     ├── apps
@@ -127,54 +126,53 @@ The following command should be used to create the `hash` file:
         │   └── README.md
         └── README.md
 
-# FAQ
+## FAQ
 
-## How do you obtain the hashes that are in the repo?
+### How do you obtain the hashes that are in the repo?
 
 The steps are give in the corresponding `orign.{id}` files, where `{id}`
 identifies the witness (key) who checked the hash.
 
-## Why a git repo?
+### Why a git repo?
 
-A git repository can be trivially cloned, archived, and forked. It can also be
-easily hosted for free at a number of public services, such as GitHub.
+A git repository can easily be cloned, archived, and forked. It can also easily
+be hosted for free by a number of public services, such as GitHub.
 
 Additionally, it provides tracked history of changes and integrity (through
 signed tags and/or commits), which can be thought of as an additional security
 mechanism to the explicit GPG signatures we display.
 
-## Do you make any guarantees about the software included here?
+### Do you make any guarantees about the software included here?
 
-No, please see Disclaimers.
+No, please see the [Disclaimers](#disclaimers).
 
-## Do you assume we must trust GitHub (or any other hosting service)?
+### Do you assume we must trust GitHub (or any other hosting service)?
 
 No, you should always verify GPG digital signatures to check integrity of any
 information contained herein.
 
-##  Are you going to accept submission about hashes from anybody?
+### Do you accept submission from anyone?
 
-No, please see Disclaimers.
+No, please see the [Disclaimers](#disclaimers).
 
-## Can I fork this?
+### Can I fork this?
 
 Yes, please see the License section below.
 
-# License
+## License
 
 TODO
 
-# Disclaimers
+## Disclaimers
 
-1. The list of software contained in this repository should not be considered an
-   endorsement for using of any of the software by any of the witnesses who
-   signed their hashes.
+1. Nothing in this repository, including witness' signatures, constitutes an
+   endorsement for the creation, distribution, or use of any code or software.
 
 2. There is no guarantee that any of the code referenced in this repository is
-   not, were not, or will not become insecure, malicious, harmful, or otherwise
-   differing from what its vendors claims about it. The match of the hashes only
-   means that certain group of witnesses were exposed to the same code,
-   byte-by-byte, as you.
+   not, has not been, or will not become insecure, malicious, harmful, or
+   otherwise different from what its vendor claims about it. Hash verification
+   guarantees only that witnesses were exposed to the same code, byte-for-byte,
+   as you were.
 
 3. You can send a patch/pull request with hashes of non-included software, but
    please keep in mind this will likely be ignored, unless 1) I consider you a

os/qubes/3.2/hash.sig.adw

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJYJlvGAAoJENtN07w5UDAwxVUP/jFB6ChkxwV8+jEA2wuC4jyz
+RzkHTJo78P/HknguW2bRyCDeigFwDWMthX+j5I/bsbKOaNTZmuTLonxjnpfPEF6L
+SYFRhy5VhqmZbQfzbZlAiFcoJkr5uQyDdvmyogiy/0LeHT9yAckVS4ior49h0ATv
+bZiDV8vFPlDHrTlNOUXYzP3g18hecy3t2bY54OpwT8C0dV1sp7taaVAvVfej9L3E
+24XMEvCV66HB7Lroh+kZNgixvU2rD3m2wJoYChf69IyGnrGX85osAZl7E9jYvcUx
+M64h6QhtKNFcgvGrDZhbbO9csFlF3EfNlmmjHMz8BAE9v7oKv5DfdnJBKbMXj5Ty
+c23b1FK4RIJkqNsuzh/9NWBiKLLi+MaaKJETfaVWTSXxHj9lUwHZ+mmD2t8Y/UfG
+lV1+pA2LqqLfmQkwJgv+uPncCSFIidKVhopGOZbvOEsDsRfV8Gpq5HWnn+wvQiIq
+zaLV9DHBlvSOzSPKqIxwFzKOzjpts+BcFh3DdiEN4XlB45yTBHxdpnT3fenshd0b
+q1PmWBRA1toP21TXR/FstpDEKx+wfldk0JBA0vqnc9iP4emjXDIwkZejV6GWi2Wp
+t4oxmM3kPmF+9+fHXv/YWuudTFtIcjNCbk/JojzX0vAHDLrz5zGmKrj50Z0fxAtL
+IL1EfIN7P51OdFBYknQN
+=OrUo
+-----END PGP SIGNATURE-----

os/qubes/3.2/origin.adw

@@ -0,0 +1,28 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Downloaded from: https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso
+
+Verified successfully with the Qubes Release 3 Signing Key, which is in turn
+signed by the Qubes Master Signing Key.
+
+In addition, the Qubes OS project provides signed hashes for each ISO:
+
+https://github.com/QubesOS/qubes-secpack/tree/master/digests
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJYJmAtAAoJENtN07w5UDAwAH4QALaFMgnh04d+SxMn8v6zIqNz
+D3JfUDFvt+iNMAKi7aj2Hm4wcLjOIKLm+pNMxY/Q38NtAp7gQ5p+LBJVXG8bWNen
+9RwQnyrx/yFmmfEq59ge5ZD5eHN160WcmFzY5ZYInZxIgnRgy6PGwCAtKWCQXfz5
+47rFqs9D+Ai5jnJ7Te6BLOfzfs+80L1k7aO2T2puGzwqPbydfIpgkMTOWcSO93h5
++/AWICL2V5UhyG5xY4zXxUnBKClUvzfhmaUOYyIdZxm9zQfvcSZ8wKO5FwYS3tW1
+UTvgr60QmRkMFT3hSsqub7s9o0mMS/tfwMlwha/Og3G6YhY9UadPWkHMNEEYHNtC
+du4UyA5LD2YMFbPMOpAh7yUzA/zBywbkFLqwPz0/+o8sgOlQKA1Kg0+IfzvhL2+W
+TPAX/daqbZMPlD+Xbf7tDsHGo4zWQhy0N/JmlTYNtBKRViTGlBaOYnB1z8cx+DAE
+QwmK2srSf07vO/znMz/jF6efyyRpfJ50gBTCqIybxNwhwg9vONU7ERQZxIZ51rgM
+A6CtcbJuZIWBsZ6/onJykx15DKqWucDwvgNszFzBs+vdC6o4GvCgRROpdF8qnF8X
+1VF8B2T5V/0AgHBcnXGrsKLR4sHKGaDOIhzJtHtL5hJiC2VdCP00+HzCpe2a+PnC
+ykvQzKOqdB9RtC8ONmHD
+=WlQb
+-----END PGP SIGNATURE-----

os/qubes/vendor_keys/origin.adw

@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+I have verified the Qubes Master Signing Key through countless channels over
+many years, and I have verified that each Release Signing Key is signed by the
+Qubes Master Signing Key.
+
+The Qubes Master Signing Key fingerprint is:
+
+427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
+
+In addition, I maintain the following signed record of fingerprints:
+
+https://andrewdavidwong.com/fingerprints.txt
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJYJl9DAAoJENtN07w5UDAwyioQAJ3CGJf+tzlINeTD0eBBhA+I
+la6du2HOjHqEtaB8N1jGVtdbRTjjYUtRibdsaKIDBQBD7WASv9OvLC1NTWddVMfr
+qZekRvKRXX4Kbra4/AR8mrBReS2U3A7rp47ELpYGPCmzMIJt8NIJHUWPO2IIkhwN
+PXE3Um0qpAPzxUMaCe1liJVNrmiNukWfbqpWoWIxGqX4JxsW/RVgcHT9+g8ruQQm
+I3EKNWmOUYSEKu0eQz/W22/iljHcdEkiSvFSvdMo6pGx71+qL6HPBjqXuISL026O
+ZoxEk8FGxFXM98mrCW6yZLlO0k/pZpZyoKT3rQD9sQUYjK+YMIxqIsrrW1x4VAqX
+hYzwevu3QIb3BdKVkfi73LBAd6V+fV4S2oSZ0DhhNeAi8PM9EDsxiF2hBaVjxbo8
+6f6PS7pz1MKgdjcTpkKuqOlTjEz8jY5ICux0dRc3RxTvLZBaT+QtzTIxSKLQxAJi
+NPM88CHqsEF+XsZXs/1OItcMZDcATb/VysgNQ87GQzACcyrDKP38JYkMY99+1Vex
++VKZV3s++82LpxIT8QDuTsRC+UjG7Uyb1889wS3fyXYkXkjY5xwiXHs92/9G8MHs
+x1AtQzSfuYOXBNSNk9Dg8e+c6bWSh0Z+pK+rhbIpZ2WHTgDR7TI1xVHDB/0sELGh
+AHX8Spxycy2vbzbz9NnI
+=zt2z
+-----END PGP SIGNATURE-----

os/qubes/vendor_keys/qubes-master-key.asc.sig.adw

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJYJl/HAAoJENtN07w5UDAwaV4QAKLZQ9BkIhOsgCoFVHHivaJ4
+fEUwNEYnpIRh+desa2GQgb6Dc50g3ULgvVgZPg2yKW4GxUHMk+1lpdbcit/rqQHj
+ebAxcMBAY+tU44+AQBnJf1G1bgperalZCZ3k/MEszdHWuGxMfhhCDPKxYZ1Mvr6S
+cpuVZBS2MT62qBB6lNGWZmqT/aHvjhjVeb9hdeKrSFi10tRMuMAXZUbxmmRpmR7X
+4OqJ24du/3226/uqQ6RJmQJWZpyW5GQMHMsxennBsiEvFfmbZHDatZtp8Xjlj6sV
+lSpRIIkVeDXgmo60IJca62V4Dm0MpgNYvcUR72GzctXNCN+vs2B01K8/5ykLwm7s
+Fq6f58AYOMRT8zlxlxBqlGPx9hQ3jKhIGtAnrO8Cs9kTk3KnKMkg/3X2PAAXFEJe
+HXgs+ydZ4cMF07h88aCoopNuUt7k2wZS5gGm+jP8VWL19DgL9vu1BmCodCw2PHgT
+zRHAck3w/BrXIG90m+JR4gRimRHXwFMk+PP0PqudeCpX51895yuo2IV9nwIzpnz5
+MGe7pEkOxbhFH4YAXbvlDeCj2jZZGOL2Twy0AR1sxeArGQ4qdWF24wm01wooMVCr
+8F+KhaTvFL4YUHSHxo1jyrBtPYgi05RwJ4FRw//CVEAZGHIgWpmi57Wv5tXZxc7X
+HPKN6ZniswmGrYETh3Hf
+=8meU
+-----END PGP SIGNATURE-----

witnesses/adw.md

@@ -0,0 +1,20 @@
+Andrew David Wong
+=================
+Community Manager, Qubes OS
+
+PGP key sources
+---------------
+* https://andrewdavidwong.com/adw.asc
+* https://keybase.io/adw/key.asc
+* https://github.com/andrewdavidwong/keys/blob/master/adw.asc
+
+PGP fingerprint locations
+-------------------------
+* https://andrewdavidwong.com/contact/
+* https://keybase.io/adw
+* https://github.com/andrewdavidwong
+* https://www.qubes-os.org/team/
+* https://forums.whonix.org/users/adw/
+* https://onename.com/adw
+* https://twitter.com/andrewdavidwong/status/583961424742854656
+* https://www.qubes-os.org/news/2016/04/29/community-manager/

witnesses/keys/README.md

@@ -4,4 +4,4 @@ List of keys used by witnesses
 Each key should be in a separate file named `<id>.key`.
 
 Other witnesses might sign the keys of the other witnesses if they so
-desire by creating a corresponding `key.{id}.{id_of_the_signer}`.
+desire by creating a corresponding `<id>.key.<id_of_the_signer>`.