Hash: SHA512

I’m pleased to announce that I’ve joined the Qubes team in a part-time role as Community Manager. I consider it an honor to have the opportunity to work with such a talented team of individuals and to serve such a dynamic community. As the Community Manager, I’ll primarily be responsible for things like handling user feedback, organizing bug reports, tracking community-developed features, and facilitating community contributions to the codebase. (As with any small project, however, we all wear many hats, so if there’s ever anything Qubes-related I can help you with, please let me know.)

I’ve been active in the Qubes community for several years now under the pseudonym “Axon,” primarily writing documentation and helping to maintain the Qubes website in my spare time as a volunteer (which I plan to continue doing alongside my new role). In joining the Qubes team more officially, however, I’ve decided to retire my pseudonym and to begin using my real identity. I consider myself fortunate to be in a position to make this choice. For me, the decision to use a pseudonym was based primarily on considerations of personal privacy. For many other people around the world, however, pseudonymous and anonymous communication is a matter of life and death. This is one reason that I believe Qubes OS – and especially its partnership with Whonix – is so important: it allows for the secure compartmentalization of these various contextual identities (along with all the other areas of one’s digital life) in ways which would not otherwise be possible. More importantly, however, it freely puts this control in the hands of individual users.

Admittedly, it currently takes a certain kind of user – one who is sufficiently self-motivated and willing to learn – to make full use of Qubes OS. This is something we’re continually working on. By working to make Qubes accessible to a wider user base, we aim to make strong endpoint security available to everyone, regardless of their level of technical expertise. As computers continue to become increasingly integrated with our lives (and our bodies), the importance of secure computing increases proportionately for all of us.

Identity Verification

If you’d like to verify my identity, I’d be happy to help. There are three PGP keys you may wish to authenticate:

              Key                                     Fingerprint                   
===============================   ==================================================
Andrew David Wong (primary)       BBAF 910D 1BC9 DDF4 1043  629F BC21 1FCE E9C5 4C53
Axon (retired pseudonym)          746A B6DE 2A02 B5A5 DCBD  3F32 A4EC AE9C 8E97 231E
Qubes Documentation Signing Key   E11D 15C6 D204 3576 9FFA  A456 8CE1 3735 2A01 9A17

You can fetch these keys from my website:

$ gpg --fetch \
https://andrewdavidwong.com/adw.asc \
https://andrewdavidwong.com/axon.asc \

Or import them from my keys repo:

$ git clone git://github.com/andrewdavidwong/keys
$ gpg --import keys/*

Or retrieve them from a public key server:

$ gpg --recv \
0xBBAF910D1BC9DDF41043629FBC211FCEE9C54C53 \
0x746AB6DE2A02B5A5DCBD3F32A4ECAE9C8E97231E \

Once you have all three keys, you can check that they’ve all been level-3 certified by one another:

$ gpg --check-sigs \
0xBBAF910D1BC9DDF41043629FBC211FCEE9C54C53 \
0x746AB6DE2A02B5A5DCBD3F32A4ECAE9C8E97231E \

Then, you can verify that this post itself has been signed by all three keys. There are several ways to do this. Since this post is a clearsigned message block, the most obvious way is simply to copy it directly from your browser. Start by telling GPG that you’d like to verify something:

$ gpg --verify

Next, copy the signed message block from this page to your clipboard. (Extraneous text is fine, so you can simply press ctrl + A to select all the text on this page, followed by ctrl + C.) Then, simply paste it into your terminal emulator and press ctrl + D. GPG will proceed to verify the signatures.

Alternatively, you may prefer a clearsigned, plain text version of this post. (Perhaps your browser has rendered the text differently, invalidating the signature, or you simply don’t want to bother with all that copying and pasting.) After downloading and reviewing the file, you can verify it like so:

$ gpg --verify _2016-04-29-community-manager.asc

Or download and verify in a single command:

$ curl https://raw.githubusercontent.com/QubesOS/qubes-posts/master/_2016-04-29-community-manager.asc | gpg --verify

Another alternative is to verify the original source file of this post against its detached signature. You can download each file, then verify:

$ gpg --verify _2016-04-29-community-manager.md.sig 2016-04-29-community-manager.md

Or, if you’re feeling adventurous, do it all in a single command:

$ gpg --verify \
<(curl https://raw.githubusercontent.com/QubesOS/qubes-posts/master/_2016-04-29-community-manager.md.sig) \
<(curl https://raw.githubusercontent.com/QubesOS/qubes-posts/master/2016-04-29-community-manager.md)

Then, you can verify the three tags on the commit for this post – each one singed by its respective key:

$ git clone git://github.com/QubesOS/qubes-posts.git
$ cd qubes-posts/
$ git verify-tag adw
$ git verify-tag axon
$ git verify-tag qubes-doc-adw

Finally, you can verify my Qubes Documentation Signing Key signature on the commit itself:

$ git verify-commit `git rev-list -n 1 adw`

With any luck, you’re now convinced that all three keys belong to the same person and that this person is the author of the words you’re reading. For other objects signed by these keys, feel free to check out my signed commits to the Qubes website and documentation repos, my signed emails to the mailing lists, and the proofs available from my Keybase profile.

You’re also welcome to contact me privately (e.g., to request key authentication through alternative channels). For personal correspondence, adw@andrewdavidwong.com functions as both an email address and an XMPP address. My OTR key fingerprint is:

1A5F4647 4CEEA362 4F740943 D4F40D4F CC1116CB

Please direct all Qubes-specific correspondence to adw@qubes-os.org.

Finally, please note that since I’m no longer using the “Axon” pseudonym, I’ll begin using my primary key (0xBC211FCEE9C54C53) instead of the Axon key (0xA4ECAE9C8E97231E) for everything except Qubes documentation signing. I intend to allow the latter’s active subkeys to expire without renewal on 2016-10-03.

Thanks for reading!