Hi, Qube nube / Linux nub here. :joyful_coiled_up_poop:
Before I retry installing R4.1.2, I’m re-following the ‘verifying signatures’ guide, when using Gpg4Win on windows I get:
$ gpg -v --verify Qubes-R4.1.2-x86_64.iso.asc Qubes-R4.1.2-x86_64.iso
...
gpg: Good signature from "Qubes OS Release 4 Signing Key"
But with the same files I get some bad indications when using gpg2 on linux (arch).
Below seems fine:
$ gpg2 -v --verify Qubes-R4.1.2-x86_64.iso.DIGESTS
gpg: enabled compatibility flags:
gpg: armor header: Hash: SHA256
gpg: original file name=''
gpg: Signature made <date was here>
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]
gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096
Below seems wrong, and i don’t know if this means the file is tampered or something else:
$ md5sum -c Qubes-R4.1.2-x86_64.iso.DIGESTS
Qubes-R4.1.2-x86_64.iso: FAILED
md5sum: WARNING: 20 lines are improperly formatted
md5sum: WARNING: 1 computed checksum did NOT match
… it’s same result message for md5, sha1, sha256, sha512
And then:
$ gpg2 -v --verify Qubes-R4.1.2-x86_64.iso.asc Qubes-R4.1.2-x86_64.iso
gpg: enabled compatibility flags:
gpg: Signature made <date was here>
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: BAD signature from "Qubes OS Release 4 Signing Key" [full]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
I get the same results when using torrent files.
Should I avoid booting with this iso?
