Hi,
I’'m trying to verify the key I downloaded from the Qubes Download page https://www.qubes-os.org/downloads/. According to the documentation on the Verfying Signatures https://www.qubes-os.org/security/verifying-signatures/, it looks like there may be a discrepancy between the two.
The site says the key is:
0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
and I have the following:
~ which gpg
/usr/bin/gpg
~ ls -al /usr/bin/gpg
-rwxr-xr-x 1 root root 1151616 Nov 28 14:24 /usr/bin/gpg
~ ls -al /usr/bin/gpg2
lrwxrwxrwx 1 root root 3 Nov 28 14:24 /usr/bin/gpg2 → gpg
~ gpg --import ~/Downloads/ISOs/qubes-release-4.2-signing-key.asc
gpg: key 0xE022E58F8E34D89F: 1 signature not checked due to a missing key
gpg: key 0xE022E58F8E34D89F: public key “Qubes OS Release 4.2 Signing Key” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-01-04
~ gpg --fingerprint Qubes
pub rsa4096/0xE022E58F8E34D89F 2022-10-04 [SC]
Key fingerprint = 9C88 4DF3 F810 64A5 69A4 A9FA E022 E58F 8E34 D89F
uid [ unknown] Qubes OS Release 4.2 Signing Key
Any help will be appreciated.
Thank you.