On Fri, Sep 16, 2016 at 11:41:30AM +0000, amadaus wrote:
> I have downloaded Qubes R3.2-rc3 iso and in the course of verifying
> signatures received the following output:
> [user@rubbish ~]$ gpg -v --verify
> '/home/user/Downloads/Qubes-R3.2-rc3-x86_64.iso.asc'
> '/home/user/Downloads/Qubes-R3.2-rc3-x86_64.iso'
> gpg: armor header: Version: GnuPG v2
> gpg: Signature made Wed 31 Aug 2016 01:08:18 PM BST using RSA key ID
> 03FA5082
> gpg: using PGP trust model
> gpg: Good signature from "Qubes OS Release 3 Signing Key"
> gpg: binary signature, digest algorithm SHA256
> [user@rubbish ~]$ gpg --list-sig 03FA5082
> pub   4096R/03FA5082 2014-11-19
> uid                  Qubes OS Release 3 Signing Key
> sig          36879494 2014-11-19  Qubes Master Signing Key
> sig 3        E2986940 2016-01-04  [User ID not found]
> sig 3        03FA5082 2014-11-19  Qubes OS Release 3 Signing Key
> As you can see signature E2986940 is unknown. I imported this key, it
> belongs to "Kabine Diane <kabi...@me.com>"
> This seems very suspicious. Should I delete the iso and try a fresh
> download?

Anyone can sign anyone's key and upload it to the keyservers. A presence
of an unknown signature on a key doesn't invalidate it in any way. As
long as there is a signature you do trust (DDFA1A3E36879494), the key is

Konstantin Ryabitsev
Linux Foundation Collab Projects
Montréal, Québec

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: PGP signature

Reply via email to