Re: [qubes-users] Qubes OS Release 4 Signing Key NOT signed by Master Signing Key

2019-09-30 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2019-09-30 12:10 PM, Dave wrote:
>> From https://www.qubes-os.org/security/verifying-signatures/
>
> Working from AppVM terminal...
>
> I've acquired and imported qubes master signing key, verified
> fingerprint, and set trust to ultimate Then fetched release 4
> signing key, which is supposed to be signed by the master signing
> key, but is NOT
>
> *What matters is that the last line shows that this key is signed
> by the
>> Qubes Master Signing Key, which verifies the authenticity of the
>> Release Signing Key.*
>>
>
> [user@browser rpm-gpg]$ gpg --fetch-keys
> https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
> gpg: requesting key from
> 'https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc'
> gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing
> Key" imported gpg: Total number processed: 1 gpg: imported: 1
>
> [root@browser ~]# gpg --list-sigs "Qubes OS Release 4 Signing Key"
> pub   rsa4096 2017-03-06 [SC]
> 5817A43B283DE5A9181A522E1848792F9E2795E9 uid   [ unknown]
> Qubes OS Release 4 Signing Key sig 31848792F9E2795E9
> 2017-03-06  Qubes OS Release 4 Signing Key
>
> The above gpg command --list-sigs failed to return the line: "sig
> DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key"
>
> How should I proceed from here? My objective is to download and
> install a new ISO on another machine. BTW, I've had great success
> using Qubes-os for over 2 years with my first installation. I'm
> grateful for everyone working to maintain it and support it.
>

It works for me:

$ gpg2 --list-sigs "Qubes OS Release 4 Signing Key"
pub   rsa4096 2017-03-06 [SC]
  5817A43B283DE5A9181A522E1848792F9E2795E9
uid   [  full  ] Qubes OS Release 4 Signing Key
sig 31848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig  DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key

Is it possible that you haven't imported the Qubes Master Signing Key
into your keyring?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl2SjYMACgkQ203TvDlQ
MDCGyRAAiIiIZFkCZ5dgpW+9HlQi6Ydz3o1oFhzzCD1aBJA1u5vawNPDql0zxiy7
RB2EFn1cBk4zRzpMMmWtUWSTbKKWmnWed6MyG5wtDhcKpCOe/XTTJLQtE/60zzmA
oy3JzhLMeX/yFtDQm2ugiLhi694LtaxI67F+inqRgq4V3pBKLVbjsLvJkIMtvHko
t5PKCtE7tFmsZ1AOl3SURr7VkqPap9H7cdtN6J/e83BN9eo7/lFcjKYtyg+seaw0
dNQbBVk6x05WEYlcbFT9VA2Tyv+Nx+KzlCIDXRXN0G8a6Afle7TTPsAL3sfsKozE
qlwVsYnhd6MownSjrzYZQYo0t0TX15+QSkcybYR4bMWWnindlenTuHFZ5S2kFIsp
O7y6+fRugSD0pk9pt3ozX6vNTCIpwGiVuuOLEcht8yYuxXMnfB1+XDscvm/Ql4VD
Xoqm0a0F8GzSkXyggPkheeoSUGcWPDJ5+EtH1Ts8uFlnT7Ffll8Mmtc395z0SHCd
oV6ylVoMdDRw7VqkjsmhF28HPodeVv1sqMPlhtaoX55ZBm3fuXQiLKWpXJ66dPRt
yrUrMoFbp79XC9sxy/4dAw8pb5Y+wlv4oBrDcJllj3FRQJOTQxgaOK3pZaECJieb
PL6fIHAvWQKMM5s7A+sYPpzWPuB7nFAzoBdG5VEb8udmj7TrmOo=
=8z1c
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3b070874-ac61-87ea-f0c4-7b961d73a566%40qubes-os.org.

[qubes-users] Qubes OS Release 4 Signing Key NOT signed by Master Signing Key

2019-09-30 Thread Dave 
>From https://www.qubes-os.org/security/verifying-signatures/

Working from AppVM terminal...

I've acquired and imported qubes master signing key, verified fingerprint, 
and set trust to ultimate
Then fetched release 4 signing key, which is supposed to be signed by the 
master signing key, but is NOT

*What matters is that the last line shows that this key is signed by the 
> Qubes Master Signing Key, which verifies the authenticity of the Release 
> Signing Key.*
>

[user@browser rpm-gpg]$ gpg --fetch-keys 
https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
gpg: requesting key from 
'https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc'
gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
gpg: Total number processed: 1
gpg:   imported: 1

[root@browser ~]# gpg --list-sigs "Qubes OS Release 4 Signing Key"
pub   rsa4096 2017-03-06 [SC]
  5817A43B283DE5A9181A522E1848792F9E2795E9
uid   [ unknown] Qubes OS Release 4 Signing Key
sig 31848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key

The above gpg command --list-sigs failed to return the line: "sig 
DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key"

How should I proceed from here? My objective is to download and install a 
new ISO on another machine. BTW, I've had great success using Qubes-os for 
over 2 years with my first installation. I'm grateful for everyone working 
to maintain it and support it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c12c01fd-4af0-494b-80b2-88fbad8db503%40googlegroups.com.