When I follow the guide 
on https://www.qubes-os.org/security/verifying-signatures/
I get the following result
[vagrant@fedora ~]$ gpg2 --check-signatures "Qubes Master Signing Key"
pub   rsa4096 2010-04-01 [SC]
uid           [ultimate] Qubes Master Signing Key
sig!3        DDFA1A3E36879494 2010-04-01  Qubes Master Signing Key

gpg: 1 good signature
[vagrant@fedora ~]$ gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
pub   rsa4096 2017-03-06 [SC]
uid           [ unknown] Qubes OS Release 4 Signing Key
sig!3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
sig%         DDFA1A3E36879494 2017-03-08  [Invalid digest algorithm] 

gpg: 1 good signature
gpg: 1 signature not checked due to an error

Is it because the master key is old and the old defaults are now 
considering too weak?
If so, why not distribute a new one?

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Reply via email to