On Fri, Sep 16, 2016 at 11:41:30AM +0000, amadaus wrote: > I have downloaded Qubes R3.2-rc3 iso and in the course of verifying > signatures received the following output: > [user@rubbish ~]$ gpg -v --verify > '/home/user/Downloads/Qubes-R3.2-rc3-x86_64.iso.asc' > '/home/user/Downloads/Qubes-R3.2-rc3-x86_64.iso' > gpg: armor header: Version: GnuPG v2 > gpg: Signature made Wed 31 Aug 2016 01:08:18 PM BST using RSA key ID > 03FA5082 > gpg: using PGP trust model > gpg: Good signature from "Qubes OS Release 3 Signing Key" > gpg: binary signature, digest algorithm SHA256 > [user@rubbish ~]$ gpg --list-sig 03FA5082 > pub 4096R/03FA5082 2014-11-19 > uid Qubes OS Release 3 Signing Key > sig 36879494 2014-11-19 Qubes Master Signing Key > sig 3 E2986940 2016-01-04 [User ID not found] > sig 3 03FA5082 2014-11-19 Qubes OS Release 3 Signing Key > > As you can see signature E2986940 is unknown. I imported this key, it > belongs to "Kabine Diane <kabi...@me.com>" > This seems very suspicious. Should I delete the iso and try a fresh > download?
Anyone can sign anyone's key and upload it to the keyservers. A presence of an unknown signature on a key doesn't invalidate it in any way. As long as there is a signature you do trust (DDFA1A3E36879494), the key is valid. Regards, -- Konstantin Ryabitsev Linux Foundation Collab Projects Montréal, Québec -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160916121846.GA2126%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Description: PGP signature