Dubious signature verification

epicgme33 · August 29, 2024, 3:21pm

Hello brothers, I was needing help regarding signatures, I can’t find this signature anywhere on the page (or I haven’t searched well) and I wanted to make sure that I am installing a legitimate ISO, tell me if this one really belongs to someone from the QubesOS team, because the one I have found in several parts is the following: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494

I will send you the data of my terminal when verifying the signatures:

~/Downloads$ gpg --import qubes-release-4.2-signing-key.asc GPG: Key E022E58F8E34D89F: 1 signature not checked due to lack of a key 
gpg: key E022E58F8E34D89F: "Qubes OS Release 4.2 Signing Key" unchanged 
gpg: Total amount processed: 1 GPG: No change: 1
~/Downloads$ gpg --verify Qubes-R4.2.2-x86_64.iso.asc Qubes-R4.2.2-x86_64.iso 
gpg: Signed on Sat 13 Jul 2024 04:32:26 CEST 
gpg: using RSA key 9C884DF3F81064A569A4A9FAE022E58F8E34D89F 
gpg: Correct Signing of "Qubes OS Release 4.2 Signing Key" [unknown] 
gpg: ATTENTION: This key is not certified by a trusted firm! 
gpg: There is no indication that the firm belongs to the owner. Primary Key Fingerprints: 9C88 4DF3 F810 64A5 69A4 A9FA E022 E58F 8E34 D89F
~/Downloads$ sha256sum Qubes-R4.2.2-x86_64.iso
939df3096cbcafa784b8d9866d9221075b66e69da031a3340bfd7da7c881b08b  Qubes-R4.2.2-x86_64.iso

I am sending this information because I am relatively new and may have done something wrong, although I think I did the verification process well I just don’t match the information available on the page

fsflover · August 29, 2024, 4:24pm

The sha256sum seems legit, according to this. However, to be really sure, you should first import the Qubes Master Signing Key. Only after that you do what did above, and gpg2 should confirm to you that what you have is signed by the Master Key.

epicgme33 · August 29, 2024, 4:39pm

I just added the signature with the following command:

gpg2 --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc

And indeed I just added it
`

pub rsa4096 2022-10-04 [SC] 9C884DF3F81064A569A4A9FAE022E58F8E34D89F uid [unknown] Qubes OS Release 4.2 Signing Key pub rsa4096 2010-04-01 [SC] 427F11FD0FAA4B080123F01CDDFA1A3E36879494 uid [unknown] Qubes Master Signing Key

But even so he continues to tell me the same thing as before when using the

gpg --verify Qubes-R4.2.2-x86_64.iso.asc Qubes-R4.2.2-x86_64.iso

gpg: ATTENTION: This key is not certified by a trusted firm!
gpg: There is no indication that the firm belongs to the owner. Primary Key Fingerprints: 9C88 4DF3 F810 64A5 69A4 A9FA E022 E58F 8E34 D89F

Check the signatures of the team members and neither do they, none match the one that matters

fsflover · August 29, 2024, 4:47pm

Did you change the level of trust to the Master Key, as explained in my link? (and I copy it below)

$ gpg2 --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  4096R/36879494  created: 2010-04-01  expires: never       usage: SC
                     trust: unknown       validity: unknown
[ unknown] (1). Qubes Master Signing Key

gpg> fpr
pub   4096R/36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

gpg> trust
pub  4096R/36879494  created: 2010-04-01  expires: never       usage: SC
                     trust: unknown       validity: unknown
[ unknown] (1). Qubes Master Signing Key

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

   1 = I don't know or won't say
   2 = I do NOT trust
   3 = I trust marginally
   4 = I trust fully
   5 = I trust ultimately
   m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  4096R/36879494  created: 2010-04-01  expires: never       usage: SC
                     trust: ultimate      validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> q

epicgme33 · August 29, 2024, 5:01pm

Thank you very much, I missed that step
After doing that in the folder where the signature and the ISO file are located, use the command

gpg --verify Qubes-R4.2.2-x86_64.iso.asc Qubes-R4.2.2-x86_64.iso

And if it’s the right one, this is the message that should appear

gpg: Signed on Sat 13 Jul 2024 04:32:26 CEST
gpg: using RSA key 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
gpg: Checking Trusted Database
gpg: Marginals needed: 3 completes needed: 1 Trust Model: PGP
gpg: Level: 0 Validity: 1 Signed: 1 Trust: 0-, 0Q, 0N, 0M, 0F, 1U
gpg: Level: 1 Validity: 1 Signed: 0 Trust: 1-, 0Q, 0N, 0M, 0F, 0U
gpg: Correct Signing of “Qubes OS Release 4.2 Signing Key” [total]

fsflover · August 29, 2024, 5:04pm

You are welcome! You should only trust the Master Key. All other keys are signed by it, so they are automatically verified.