[qubes-users] Where do I verify the gpg key? Do the docs need updating?


I’'m trying to verify the key I downloaded from the Qubes Download page https://www.qubes-os.org/downloads/. According to the documentation on the Verfying Signatures https://www.qubes-os.org/security/verifying-signatures/, it looks like there may be a discrepancy between the two.

The site says the key is:

and I have the following:

 ~  which gpg
 ~  ls -al /usr/bin/gpg
-rwxr-xr-x 1 root root 1151616 Nov 28 14:24 /usr/bin/gpg
 ~  ls -al /usr/bin/gpg2
lrwxrwxrwx 1 root root 3 Nov 28 14:24 /usr/bin/gpg2 → gpg
 ~  gpg --import ~/Downloads/ISOs/qubes-release-4.2-signing-key.asc
gpg: key 0xE022E58F8E34D89F: 1 signature not checked due to a missing key
gpg: key 0xE022E58F8E34D89F: public key “Qubes OS Release 4.2 Signing Key” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-01-04
 ~  gpg --fingerprint Qubes
pub rsa4096/0xE022E58F8E34D89F 2022-10-04 [SC]
Key fingerprint = 9C88 4DF3 F810 64A5 69A4 A9FA E022 E58F 8E34 D89F
uid [ unknown] Qubes OS Release 4.2 Signing Key

Any help will be appreciated.

Thank you.

You downloaded only the Qubes 4.2 release signing key (RSK), not the Qubes Master Signing Key (QMSK). Please carefully read and follow this section: