On 01/25/2018 03:33 PM, Optimal Joy wrote:
Hi. New to Qubes, just downloading it, and wish to verify my image.
I have downloaded my images and keys. Also got the master signing key.
user Downloads # wget https://mirrors.kernel.org/qubes/iso/Qubes-R3.2-x86_64.iso &&
wget https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc && wget
I have these files now in my ~/Downloads directory:
-rw-r--r-- 1 elliot elliot 1.6K Jan 25 11:21 qubes-master-signing-key.asc
-rw-r--r-- 1 root root 819 Sep 20 2016 Qubes-R3.2-x86_64.iso.asc
-rw-r--r-- 1 root root 4.0G Sep 20 2016 Qubes-R3.2-x86_64.iso
-rw-r--r-- 1 root root 2.4K Nov 19 2014 qubes-release-3-signing-key.asc
I tried this command earlier to fetch the qubes-master key,
~/Downloads $ gpg2 --fetch-keys
gpg: requesting key from
gpg: WARNING: unable to fetch URI
https://keys.qubes-os.org/keys/qubes-master-signing-key.asc: General error
Since it wasn't working, I manually downloaded the file from the Qubes site,
however I am afraid that I only have the file, but have not imported the public
When trying to verify the iso, I get the following error:
Downloads # gpg2 --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
gpg: Signature made Tue 20 Sep 2016 10:33:37 AM PDT using RSA key ID 03FA5082
gpg: Can't check signature: No public key
How can I download/get my Public Key manually? Or what could be wrong with my
If you have the key files on disk, use --import:
$ gpg2 --import qubes-master-signing-key.asc
$ gpg2 --import qubes-release-3-signing-key.asc
Then use --edit-key to set trust level to 4 on master key:
$ gpg2 --edit-key 36879494
Then check that master<>release signatures are valid:
$ gpg2 --check-sigs
You'll see the release key as "uid ... Qubes OS Release 3 Signing Key"
and directly underneath a line like:
"sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key"
After all of this, the thing that validates the Signing key is "sig!".
It shows the Release key has been signed by the Master key and "!" means
the signature is valid.
At this point, if you have taken care to verify the Master key by
retrieving it or viewing its fingerprint through other channels, then
your keys are all set. (Some people skip most of this and only import
the Singing key and verify its fingerprint, but I digress.)
You can now do the --verify step.
Chris Laprise, tas...@posteo.net
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.