Following my message on the list (which can be found here too), we encourage you if you have any issue in installing Qubes R4.1 alpha release to test the weekly builds for Qubes R4.1 in development: Index of /qubes/iso/.
The ISOs are signed by “fepitre-bot” 1C8714D640F30457EC953050656946BA873DDEC1. Some of you already download latest R4.1 devel ISOs in openQA but they are not necessary signed and not built in a safe environment because it’s only for CI purposes. Please note that I’ve added build logs and also those ISO are tested in openQA too.
I think you can use Qubes issues tracker: Issues · QubesOS/qubes-issues · GitHub. In a standard way, describe the issue and precise the exact timestamp you used for ISO like e.g. 20210522.
@fepitre I opened an issue on Heads side in the goal of potentially include QubesOS 4.1 fepitre-bot public distro signing key inside of Heads supported signing distro keys here.
As you might know, Heads permits to verify ISO when a accompanying ISO detached signature is provided alongside, as long as Heads have the corresponding distro signing public key fused inside of the ROM.
Here, let it be under debian-10 or Heads, the importation of fepitre-bot distro public signing key results in:
user@x230-master:~/heads$ gpg --import initrd/etc/distro/keys/qubes-testing.key
gpg: key 656946BA873DDEC1: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
Consequently, I cannot distribute keys.openpgp.org under Heads to facilitate QubesOS ISO testing.
Not the end of the world. Heads users can still gpg --detach-sign with their own keypair and validate detached signature produce against their public key fused inside of the ROM, but the whole concept of being able to import the public distro key of fepitre-bot to validate detached signatures of ISOs seems to not work correctly here.
Advice? Possibility of renewing that public distro-key with a valid user ID?
That seems to be a common problem, would you by chance be using the openpgp.org keyserver ? You may want to use eg. the Ubuntu keyserver instead (I would be happy to learn that other ones are working as we expect).
As pointed by HW42 here the public key downloaded from here permits to do verify the ISO prior of booting the installer successfully (where downloaded key from keys.openpgp.org is not importable. Might want to document where to download public key in OP here.)
Is it normal for a download that says it’s 5.1 GB to show up as 5.4 GB after its downloaded? This has me curious. It happens with me frequently. Might be worth looking into, might be paranoia. Anyone wanna take a guess?