Qubes release signing key not working

Trying to verify Qubes, but when I get to the part where I input the command “gpg --keyserver-options no-self-sigs-only,no-import-clean --import ./qubes-release-4-signing-key.asc” it says “third party key signatures using the SHA1 algorithm are rejected” I can allow SHA1 sigs by using the command “–allow-weak-key-signatures” and that would fix it. But now someone told me that there are SHA256/512 sigs that I should be using instead.

I downloaded everything from the Qubes website and the verification process was fine until I got to this point. I didn’t have a problem with this about a year ago, so not sure what to do.

If anyone could help that would be great.

Sorry, it looks like the Release 4 Signing Key is still signed with SHA-1:

Update for anyone else with this problem: The Release 4 Signing Key has now also been updated to a SHA256 version on the Qubes website. If this is a problem in the future then the Qubes OS Github will have updated keys available.

1 Like