On 2/16/24 12:38 PM, Allen Schultz wrote: > Hi, > > I''m trying to verify the key I downloaded from the Qubes Download page > <https://www.qubes-os.org/downloads/>. According to the documentation on > the Verfying Signatures > <https://www.qubes-os.org/security/verifying-signatures/>, it looks like > there may be a discrepancy between the two. > > The site says the key is: > > 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494 > and I have the following: > > ~ which gpg > /usr/bin/gpg > ~ ls -al /usr/bin/gpg > -rwxr-xr-x 1 root root 1151616 Nov 28 14:24 /usr/bin/gpg > ~ ls -al /usr/bin/gpg2 > lrwxrwxrwx 1 root root 3 Nov 28 14:24 /usr/bin/gpg2 -> gpg > ~ gpg --import ~/Downloads/ISOs/qubes-release-4.2-signing-key.asc > gpg: key 0xE022E58F8E34D89F: 1 signature not checked due to a missing key > gpg: key 0xE022E58F8E34D89F: public key "Qubes OS Release 4.2 Signing Key" > imported > gpg: Total number processed: 1 > gpg: imported: 1 > gpg: marginals needed: 3 completes needed: 1 trust model: pgp > gpg: Note: signatures using the SHA1 algorithm are rejected > gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u > gpg: next trustdb check due at 2025-01-04 > ~ gpg --fingerprint Qubes > pub rsa4096/0xE022E58F8E34D89F 2022-10-04 [SC] > Key fingerprint = 9C88 4DF3 F810 64A5 69A4 A9FA E022 E58F 8E34 D89F > uid [ unknown] Qubes OS Release 4.2 Signing Key > > Any help will be appreciated. > > Thank you. >
You downloaded only the Qubes 4.2 release signing key (RSK), not the Qubes Master Signing Key (QMSK). Please carefully read and follow this section: https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dc96fa1a-c29c-4f38-9c04-410e7a85dd36%40qubes-os.org.