On Sat, Dec 09, 2017 at 03:15:30PM -0300, Franz wrote: > On Sat, Dec 9, 2017 at 2:52 PM, Unman <[email protected]> wrote: > > > On Sat, Dec 09, 2017 at 02:37:49PM -0300, Franz wrote: > > > On Sat, Dec 9, 2017 at 1:35 PM, Chris Laprise <[email protected]> wrote: > > > > > > > On 12/09/2017 09:56 AM, Franz wrote: > > > > > > > >> I bought a larger SSD and want to reinstall 3.2, but gpg verification > > no > > > >> more works. > > > >> > > > >> I have a gpg VM where all this verificaion stuff is already installed > > and > > > >> worked for 3.1 and 3.2 in the past, so assumed it should work again > > for the > > > >> same task, but no. > > > >> > > > >> For the signature file of the iso, I pasted it into a file called > > > >> Qubes-R3.2-x86_64.iso.asc > > > >> > > > >> But I get: > > > >> > > > >> gpg -v --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso > > > >> gpg: no valid OpenPGP data found. > > > >> gpg: the signature could not be verified. > > > >> > > > >> So I suspected it is because developer key lapse after one year and > > did: > > > >> |gpg --recv-keys 0xC52261BE0A823221D94CA1D1CB11CA1D03FA5082 | > > > >> |as instructed here https://www.qubes-os.org/secur > > > >> ity/verifying-signatures/ It actually imported one key, but > > verification > > > >> gives the same failed result. | > > > >> |Also tried to import the key associated to iso download [user@gpg > > > >> iso2]$ gpg --import qubes-release-3-signing-key\(1\).asc gpg: key > > > >> 03FA5082: "Qubes OS Release 3 Signing Key" not changed gpg: Total > > number > > > >> processed: 1 gpg: unchanged: 1 | > > > >> |Finally downloaded the iso again, but same result | > > > >> > > > > > > > > Maybe you pasted the key into the .asc file, instead of pasting the > > > > signature? > > > > > > > > > > > this one: > > > > > > Version: GnuPG v2 > > > > > > iQIcBAABCAAGBQJX4XLxAAoJEMsRyh0D+lCC738P/R35gthUmjr35NqF3foatmF/ > > > UIZ0ggKBXUqlMNaTdl4TosJsExuZw6/YDErgukupHAhPaV22WcBtz+6+ZL6VdmSz > > > /UpBOVxQ2SBFzj7DfVelpWOCp+wp09xf42fxqXvhpZQyj8plbgjJ1glbkd5uM6Dp > > > vDZJWYwxtTujqLxyX2WBSvBWgtpCrhCMYFZHbAHhICQ3iWxr6sPgQhXEh49FuRZU > > > Ksk9OZJmgrQ3ds5hO3HGuSQYUQKEuNlWbTN7dJJQHbPpvS6areaWCIKuIy6M2HwL > > > zP6TbTF+B3F1Se+AwhiSb4rKQgVecgd+lxXc+KqmfNQfIJf/2lK2KxqmWY5O9Idz > > > mtp1w0o8hnJlS6Axn3JAmmipNuCPUVg+a99KV4TL01xbAc35eUkCQi12IwDCiO8Q > > > m0CaFy0xbBImCb2qFt8MNk+qbcIxFI0kML0IwJ4axSdDIrMiLl96Rvso8vEcyuAg > > > CS3SjRxorbltjtb/5CmyMRdSpXzCJ4fY2U8vmqMijtKQCmCs6xJKsexsC/gNaXVO > > > ZoIsMwBwu1a/SThx1zUT4Iq0gyN1P0IxwKIrd2GT+ewBlwo3DfEMaPItYduVqGE2 > > > OGjcxx2J/F7Zn6DH2QSx6o1W25hUNjtRSsWv8udtOK602wjX9AjotRUl5LWriq/P > > > 8sabLZSQ2AWu4Gr1qXAy > > > =qkEl > > > > > > > > > > > > > If you think the .iso downloaded incorrectly, first thing to check is > > the > > > > exact number of bytes with 'ls -l' in case the download stopped > > prematurely. > > > > > > > > > > I downloaded it two times... > > > > > > [user@gpg iso2]$ ls -l > > > total 4147212 > > > -rw-r--r-- 1 user user 4246732800 Dec 9 00:07 Qubes-R3.2-x86_64.iso > > > -rw-rw-r-- 1 user user 761 Dec 9 10:26 Qubes-R3.2-x86_64.iso.asc > > > -rw-r--r-- 1 user user 2364 Dec 9 10:41 > > > 'qubes-release-3-signing-key(1).asc' > > > > > > > That's the right signature - try downloading rather than > > copying/pasting. > > > > Downloading? You do not know how many times I tried to find a link to > download a file... It is two days trying that. > > But if Unman tells to download it there should be a way. So tried "save > link as" and it actually download the file and it worked and verified the > iso correctly. > > Well but how it is that if I click on PGP key it actually downloades a > file, while if click on Signature it opens it? This make things > unnecessarily complex. Clicking on Signature should download a file as > well. Don'you you think so? > > > > Have you included the BEGIN/END lines? > > > > no, probably that was my error > > Anyway many thank Unman and Chris for being always willing to help > > Best > Fran
The reason for the different treatment is that your browser recognises the signature as plain text and displays it, but identifies the key as a detached signature (!!), which it offers to download - note that it is probably identified as text and you will be offered the option to open it in a text editor. Browser handling of different file types is quite interesting. In this case I suspect that the difference in Version numbers on the key and signature makes the difference. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171209183859.v56nb7pof3xhrfzx%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
