I’ve carefully followed the steps for verifying the Qubes OS download.
I downloaded the Master Key from GitHub, and then I checked its fingerprint against several other websites.
However, when I got to the step where I had to check the signature of the “Qubes OS Release 4.2 Signing Key”, the date for the Master Key seemed incorrect. According to the Qubes website, the Master Key should have a 2017 date, but I got a 2023 date. Is that okay? Or should I be worried?
This is what I got:
gpg2 --check-signatures "Qubes OS Release 4.2 Signing Key"
pub rsa4096 2022-10-04 [SC]
9C884DF3F81064A569A4A9FAE022E58F8E34D89F
uid [ full ] Qubes OS Release 4.2 Signing Key
sig!3 E022E58F8E34D89F 2022-10-04 Qubes OS Release 4.2 Signing Key
sig! DDFA1A3E36879494 2023-06-03 Qubes Master Signing Key
You need to read more carefully; the Qubes Master Signing Key (fingerprint: 427F11FD0FAA4B080123F01CDDFA1A3E36879494) was created in 2010; it certifies other keys, such as the Release Signing Keys…re-read the docs.
Yes, I understand that the master key certifies the other keys, such as the release keys. My question was about the date of the master key. Shouldn’t the year be 2017?
There’s nothing wrong here. This is normal and expected. You are conflating two different things:
The date on which the Qubes Master Signing Key signed/certified the Qubes OS Release 4.2 Signing Key, which is shown in this output as 2023-06-03.
Some other date associated with the Qubes Master Signing Key, which you haven’t specified. I’m guessing you mean the date on which the QMSK was created (which would be in 2010, not 2017, by the way, and which the Qubes website already states correctly).
In any case, we don’t rely on these dates when verifying signatures, because dates can be spoofed. (E.g., set your computer’s date to 2010-04-01, then create a new PGP key, and call it “Qubes Master Signing Key.” You will fool no one who follows the instructions correctly.)
