Hi, I''m trying to verify the key I downloaded from the Qubes Download page <https://www.qubes-os.org/downloads/>. According to the documentation on the Verfying Signatures <https://www.qubes-os.org/security/verifying-signatures/>, it looks like there may be a discrepancy between the two.
The site says the key is: 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494 and I have the following: ~ which gpg /usr/bin/gpg ~ ls -al /usr/bin/gpg -rwxr-xr-x 1 root root 1151616 Nov 28 14:24 /usr/bin/gpg ~ ls -al /usr/bin/gpg2 lrwxrwxrwx 1 root root 3 Nov 28 14:24 /usr/bin/gpg2 -> gpg ~ gpg --import ~/Downloads/ISOs/qubes-release-4.2-signing-key.asc gpg: key 0xE022E58F8E34D89F: 1 signature not checked due to a missing key gpg: key 0xE022E58F8E34D89F: public key "Qubes OS Release 4.2 Signing Key" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: Note: signatures using the SHA1 algorithm are rejected gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2025-01-04 ~ gpg --fingerprint Qubes pub rsa4096/0xE022E58F8E34D89F 2022-10-04 [SC] Key fingerprint = 9C88 4DF3 F810 64A5 69A4 A9FA E022 E58F 8E34 D89F uid [ unknown] Qubes OS Release 4.2 Signing Key Any help will be appreciated. Thank you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/44675806-54db-4b95-94ed-df90b03f104cn%40googlegroups.com.