On 01/25/2018 03:33 PM, Optimal Joy wrote:
Hi. New to Qubes, just downloading it, and wish to verify my image.
I have downloaded my images and keys. Also got the master signing key.

user Downloads # wget https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso && 
wget https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc && wget 

I have these files now in my ~/Downloads directory:

-rw-r--r--  1 elliot elliot 1.6K Jan 25 11:21 qubes-master-signing-key.asc
-rw-r--r--  1 root   root    819 Sep 20  2016 Qubes-R3.2-x86_64.iso.asc
-rw-r--r--  1 root   root   4.0G Sep 20  2016 Qubes-R3.2-x86_64.iso
-rw-r--r--  1 root   root   2.4K Nov 19  2014 qubes-release-3-signing-key.asc

I tried this command earlier to fetch the qubes-master key,
~/Downloads $ gpg2 --fetch-keys 
gpg: requesting key from 
gpg: WARNING: unable to fetch URI 
https://keys.qubes-os.org/keys/qubes-master-signing-key.asc: General error

Since it wasn't working, I manually downloaded the file from the Qubes site, 
however I am afraid that I only have the file, but have not imported the public 

When trying to verify the iso, I get the following error:

Downloads # gpg2 --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
gpg: Signature made Tue 20 Sep 2016 10:33:37 AM PDT using RSA key ID 03FA5082
gpg: Can't check signature: No public key

How can I download/get my Public Key manually? Or what could be wrong with my 

Help, thanks!

If you have the key files on disk, use --import:
$ gpg2 --import qubes-master-signing-key.asc
$ gpg2 --import qubes-release-3-signing-key.asc

Then use --edit-key to set trust level to 4 on master key:
$ gpg2 --edit-key 36879494
gpg> trust
gpg> save

Then check that master<>release signatures are valid:
$ gpg2 --check-sigs

You'll see the release key as "uid ... Qubes OS Release 3 Signing Key"
and directly underneath a line like:
"sig!         DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key"

After all of this, the thing that validates the Signing key is "sig!". It shows the Release key has been signed by the Master key and "!" means the signature is valid.

At this point, if you have taken care to verify the Master key by retrieving it or viewing its fingerprint through other channels, then your keys are all set. (Some people skip most of this and only import the Singing key and verify its fingerprint, but I digress.)

You can now do the --verify step.


Chris Laprise, tas...@posteo.net
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to