When I follow the guide on https://www.qubes-os.org/security/verifying-signatures/ I get the following result ``` [vagrant@fedora ~]$ gpg2 --check-signatures "Qubes Master Signing Key" pub rsa4096 2010-04-01 [SC] 427F11FD0FAA4B080123F01CDDFA1A3E36879494 uid [ultimate] Qubes Master Signing Key sig!3 DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
gpg: 1 good signature [vagrant@fedora ~]$ gpg2 --check-signatures "Qubes OS Release 4 Signing Key" pub rsa4096 2017-03-06 [SC] 5817A43B283DE5A9181A522E1848792F9E2795E9 uid [ unknown] Qubes OS Release 4 Signing Key sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key gpg: Note: third-party key signatures using the SHA1 algorithm are rejected gpg: (use option "--allow-weak-key-signatures" to override) sig% DDFA1A3E36879494 2017-03-08 [Invalid digest algorithm] gpg: 1 good signature gpg: 1 signature not checked due to an error ``` Is it because the master key is old and the old defaults are now considering too weak? If so, why not distribute a new one? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5a43c954-21a7-4aaf-8589-218dc1f911acn%40googlegroups.com.