I am trying to import the release signing key but I getting this error
gpg: no valid OpenPGP data found.
I try to import key with
$ gpg2 --import ./Qubes-R4.1.0-alpha20201014-x86_64.iso.asc
And
$ gpg2 --keyserver-options no-self-sigs-only,no-import-clean --import ./Qubes-R4.1.0-alpha20201014-x86_64.iso.asc
Both inputs I get same no valid OpenPGP data found error. I try the release 4.0.4 release signing key to import and it imports no problem. What am I doing wrong?
I am following the doc precisely. Verifying regular R4.0.4 is no problem for me just did this for practice again. What command should I try now for importing release signature? Should try renaming the 4.1 release signature? The file is in right directory. Also is there a newer 4.1 test version I should be using and where can I find this?
What I think I am seeing is OpenPGP verifying R4.1 .iso with the regular qubes-release-4-signing-key.asc for R4.0.4. The output I am getting is this
daisy@ubuntu:~/Downloads$ gpg2 -v --verify Qubes-R4.1.0-alpha20201014-x86_64.iso.asc Qubes-R4.1.0-alpha20201014-x86_64.iso
gpg: Signature made Wed 14 Oct 2020 10:22:46 AM UTC
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]
Primary key fingerprint: 5817 A43B 283D E5A9 181A 522E 1848 792F 9E27 95E9
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
Does this look like success? I am not sure Qubes-R4.1.0-alpha20201014-x86_64.iso.asc was imported with success because the only output I got is
daisy@ubuntu:~/Downloads$ gpg --import ./Qubes-R4.1.0-alpha20201014-x86_64.iso.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
I checked the Troubleshooting FAQ which tells me the only problem is the wrong signature but if I run the below command OpenPGP acknowledges the 4.1 signing key
daisy@ubuntu:~/Downloads$ gpg2 --verify Qubes-R4.1.0-alpha20201014-x86_64.iso.asc
gpg: assuming signed data in 'Qubes-R4.1.0-alpha20201014-x86_64.iso'
gpg: Signature made Wed 14 Oct 2020 10:22:46 AM UTC
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]
Primary key fingerprint: 5817 A43B 283D E5A9 181A 522E 1848 792F 9E27 95E9
Possible I am using the wrong import command? I have redownloaded R4.1 signing key 4 time and tried all copies. Was it success because it said “Good signature from “Qubes OS Release 4 Signing Key” [full]”?
The .iso.asc
file is a not a key. It’s a signature so you should not try to import it. It is bound to fail.
You are supposed to first verify that the release signing key (Release 4 applies to both 4.0, 4.1, and whatever 4.x they may release in the future) has a proper signature from the Qubes master key. Then you use the release signing key to verify the iso and the .iso.asc
file is a detached signature for the iso file.
1 Like