I got some similar issues with the 4.0.4
While downloading the most recent OS version 4.0.4. To install it on an old machine, the process went well. This time I took my time going through the verification of signatures and I had a few questions about the outputs.
Who’s signature are these?
5817A43B283DE5A9181A522E1848792F9E2795E9 or 51629CD41240D51DDAA773397AF9C6537BB6DE87
It’s not the master signing key nor is it the signing key for the Q4.0.4? Perhaps, it’s a developer signature but who’s?
(Here’s where I noticed it first)
[user@download ~]$ gpg2 -k "Qubes OS Release"
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
pub rsa4096 2017-06-12 [SC]
51629CD41240D51DDAA773397AF9C6537BB6DE87
uid [ unknown] Qubes OS Release 4 Unstable Signing Key
(and again during this step)
[user@download ~]$ gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
pub rsa4096 2017-06-12 [SC]
51629CD41240D51DDAA773397AF9C6537BB6DE87
uid [ unknown] Qubes OS Release 4 Unstable Signing Key
At this point, I not trying to use an unstable version Since I inadvertently downloaded these signatures.
/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-templates-community
/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-unstable
It may make sense, why I may have 2 versions of the OS? (or packages) by the following output.
[user@download ~]$ gpg2 -k "Qubes OS Release"
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
pub rsa4096 2017-06-12 [SC]
51629CD41240D51DDAA773397AF9C6537BB6DE87
uid [ unknown] Qubes OS Release 4 Unstable Signing Key
Ultimately, I would like to get rid of the unstable versions and their signatures. How can I do that once I use the bootable USB on a different machine?
thanks,