Joey Goodnews is back with another poser.
Dowloaded the iso from:
https:–mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.3-x86_64.iso
and the associated hashes and gpg signatures. Then checked the security of the file.
NOTE: (https:-- substituted for https:// to allow hyperlinks to be included in the post)
The short story is the gpg signatures, installs and iso verification went as hoped, but the verification of the Digests failed.
I apparently dropped a stitch somewhere and would appreciate any insights. Thanks
The screen output of the gpg session follows:
tmp01@temp$ sudo gpg2 --fetch-keys https:–keys.qubes-os.org/keys/qubes-master-signing-key.asc
gpg: requesting key from ‘https:–keys.qubes-os.org/keys/qubes-master-signing-key.asc’
gpg: key DDFA1A3E36879494: public key “Qubes Master Signing Key” imported
gpg: Total number processed: 1
gpg: imported: 1
tmp01@temp$ sudo gpg2 --edit-key 0x36879494
gpg (GnuPG) 2.2.23; Copyright © 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from ‘/root/.gnupg/secring.gpg’ to gpg-agent
gpg: migration succeeded
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
gpg> fpr
pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
gpg> trust
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please decide how far you trust this user to correctly verify other users’ keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don’t know or won’t say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: ultimate validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> q
tmp01@temp$ sudo gpg2 --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https:–keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
gpg: requesting key from ‘https:–keys.qubes-os.org/keys/qubes-release-4-signing-key.asc’
gpg: key 1848792F9E2795E9: public key “Qubes OS Release 4 Signing Key” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
tmp01@temp$ sudo gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
pub rsa4096 2017-03-06 [SC]
5817A4…
uid [ full ] Qubes OS Release 4 Signing Key
sig!3 18487… 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
gpg: 2 good signatures
tmp01@temp$ sudo gpg2 -v --verify Qubes-R4.0.3-x86_64.iso.asc Qubes-R4.0.3-x86_64.iso
gpg: Signature made Sun 19 Jan 2020 08:41:26 PM EST using RSA key 5817A4…
gpg: using pgp trust model
gpg: Good signature from “Qubes OS Release 4 Signing Key” [full]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
tmp01@temp$ sudo md5sum -c Qubes-R4.0.3-x86_64.iso.DIGESTS
Qubes-R4.0.3-x86_64.iso: OK
md5sum: WARNING: 23 lines are improperly formatted
tmp01@temp$ sudo sha1sum -c Qubes-R4.0.3-x86_64.iso.DIGESTS
Qubes-R4.0.3-x86_64.iso: OK
sha1sum: WARNING: 23 lines are improperly formatted
tmp01@temp$ sudo sha256sum -c Qubes-R4.0.3-x86_64.iso.DIGESTS
Qubes-R4.0.3-x86_64.iso: OK
sha256sum: WARNING: 23 lines are improperly formatted
tmp01@temp$ sudo sha512sum -c Qubes-R4.0.3-x86_64.iso.DIGESTS
Qubes-R4.0.3-x86_64.iso: OK
sha512sum: WARNING: 23 lines are improperly formatted
tmp01@temp$ sudo gpg2 -v --verify Qubes-R4.0.3-x86_64.iso.DIGESTS
gpg: armor header: Hash: SHA256
gpg: original file name=’’
gpg: Signature made Sun 19 Jan 2020 08:42:18 PM EST using RSA key 5817A4…
gpg: using pgp trust model
gpg: BAD signature from “Qubes OS Release 4 Signing Key” [full]
gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096
To verify, downloaded and installed master signing key from website:
https:–keys.qubes-os.org/keys/qubes-master-signing-key.asc
tmp01@temp$ sudo gpg2 --import ./qubes-master-signing-key.asc
gpg: key DDFA1A3E36879494: “Qubes Master Signing Key” not changed
gpg: Total number processed: 1
gpg: unchanged: 1