Incorrect date for Qubes Master Key?

I’ve carefully followed the steps for verifying the Qubes OS download.

I downloaded the Master Key from GitHub, and then I checked its fingerprint against several other websites.

However, when I got to the step where I had to check the signature of the “Qubes OS Release 4.2 Signing Key”, the date for the Master Key seemed incorrect. According to the Qubes website, the Master Key should have a 2017 date, but I got a 2023 date. Is that okay? Or should I be worried?

This is what I got:

gpg2 --check-signatures "Qubes OS Release 4.2 Signing Key" 
pub   rsa4096 2022-10-04 [SC]
uid           [  full  ] Qubes OS Release 4.2 Signing Key
sig!3        E022E58F8E34D89F 2022-10-04  Qubes OS Release 4.2 Signing Key
sig!         DDFA1A3E36879494 2023-06-03  Qubes Master Signing Key

You need to read more carefully; the Qubes Master Signing Key (fingerprint: 427F11FD0FAA4B080123F01CDDFA1A3E36879494) was created in 2010; it certifies other keys, such as the Release Signing Keys…re-read the docs.

Yes, I understand that the master key certifies the other keys, such as the release keys. My question was about the date of the master key. Shouldn’t the year be 2017?

I just ran that command

and didn’t get anything like you got

How do I properly check mine if this is not how to check it, or was this how to check it and it just doesn’t exist?

I don’t know the CLI commands needed :frowning:

I tried following this but I don’t know how

You both need to take some time to read and think things through…the answers were already written.

There’s nothing wrong here. This is normal and expected. You are conflating two different things:

  1. The date on which the Qubes Master Signing Key signed/certified the Qubes OS Release 4.2 Signing Key, which is shown in this output as 2023-06-03.
  2. Some other date associated with the Qubes Master Signing Key, which you haven’t specified. I’m guessing you mean the date on which the QMSK was created (which would be in 2010, not 2017, by the way, and which the Qubes website already states correctly).

In any case, we don’t rely on these dates when verifying signatures, because dates can be spoofed. (E.g., set your computer’s date to 2010-04-01, then create a new PGP key, and call it “Qubes Master Signing Key.” You will fool no one who follows the instructions correctly.)


Got it. Thanks!