I am having issues in multiple verification stages

KenzieAon · July 14, 2022, 3:51am

I have found other articles here but they usually boiled down to “Delete everything and try again” and that worked for some reason. For me however that is not the case, I am having trouble having correct canary signatures (Unknown and BAD) from the examples given in the installation guide. I have not even installed the .ISO yet (fingerprint matches from multiple sources across the web from what I can tell) and the hashes in the 4.1.0 DIGESTS doesn’t match according to the md5sum and opensll (FAILED and different hash respectively).

I am unaware where the issue is. I am running windows and as such have no ability to use gpg2, but I have installed Gpg4win (and by extenstion GPA, Kleopatra, and GnuEX) along with Git 2.73.1 (whatever was released on July 12th 2022). However, besides these two issues I have had no trouble besides trying to use the following commands in Git Bash:

gpg2 --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc 
<!--This refused to fetch the key because the certification was expired/invalid)-->

gpg2 --keyserver-options no-self-sigs-only,no-import-clean --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
<!--This just put the file somewhere I couldn't find and thus couldn't proceed-->

 gpg2 --import /<PATH_TO_FILE>/qubes-master-signing-key.asc
<!--even when I had the "trustdb" file this command didnt work, I might just not understand it, I replaced the obvious with the "trustdb" file. the extension to "trustdb" was .gpg)-->

Again, gpg2 didnt work so I had to resort to gpg. If you need any more information I will be willing to provide it. Any help will be appreciated, thank your for what you can give, and any method that fails I am thankful you tried.

fsflover · July 15, 2022, 9:34pm

I can’t comment on other things, but would it help if you used WSL (Windows System for Linux) for that?

Sven · July 15, 2022, 10:06pm

That is fine. gpg2 is a link as you can see here:

user@vault:~$ which gpg2
/usr/bin/gpg2
user@vault:~$ ls -la /usr/bin/gpg2
lrwxrwxrwx 1 root root 3 Jul  1 02:03 /usr/bin/gpg2 -> gpg
user@vault:~$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
user@vault:~$ gpg2 --version
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

The important part is the version being >=2.0. The version available for Windows currently is 2.3.7 and can be downloaded here.

You should already have this version as Gpg4win 4.0.3 contains it.