{{Box|text= [[Secure_Downloads|Securely download]] the key. {{Box|text= '''If''' you are using {{project_name_workstation_long}} ({{project_name_workstation_vm}}), run. {{CodeSelect|code= {{{download_command}}} }} '''If''' you are using a Qubes Template ({{project_name_workstation_template}}), run. Using Qubes UpdatesProxy (http://127.0.0.1:8082/) because Qubes Templates are non-networked by Qubes default and therefore require UpdatesProxy for connectivity. (APT in Qubes Templates is configured to use UpdatesProxy by Qubes default.) Even more secure would be to download the key [[Qubes/Disposables|Disposable]] and then [https://www.qubes-os.org/doc/how-to-copy-and-move-files/ qvm-copy] it to the Qubes Template because this would avoid curl's attack surface but this would also result in even more complicated instructions. {{CodeSelect|code= {{{download_command_qubes_templatevm}}} }} }} Display the key's fingerprint. Even more secure would be to display the key in another Disposable because this would protect the Template from curl's and gpg's attack surface but this would also result in even more complicated instructions. {{CodeSelect|code= gpg --keyid-format long --import --import-options show-only --with-fingerprint {{{source_filename}}} }} Verify the output. {{always_verify_signatures_reminder}} The most important check is confirming the key fingerprint exactly matches the output below. Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
{{{gpg_fingerprint}}}
{{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = '''Warning:''' Do not continue if the fingerprint does not match -- this risks using infected or erroneous files! The whole point of verification is to confirm file integrity. }} Copy the signing key to the APT keyring folder. https://forums.whonix.org/t/apt-repository-signing-keys-per-apt-sources-list-signed-by/12302 {{CodeSelect|code= sudo cp {{{source_filename}}} {{{target_filename}}} }} }}