I downloaded the torrent using this link on the Downloads page which contained 3 files:
Qubes-R4.0.4-x86_64.iso
Qubes-R4.0.4-x86_64.iso.asc
Qubes-R4.0.4-x86_64.iso.DIGESTS
I then proceeded to verify the download following the Verifying Signatures, following is steps taken and the output:
❯ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
❯ gpg --keyserver-options no-self-sigs-only,no-import-clean --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
gpg: key DDFA1A3E36879494: 73 signatures not checked due to missing keys
gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" 73 new signatures
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: new signatures: 73
❯ gpg --edit-key 427F11FD0FAA4B080123F01CDDFA1A3E36879494
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
gpg> fpr
pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
gpg> trust
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: ultimate validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> q
❯ gpg -k "Qubes Master Signing Key"
pub rsa4096 2010-04-01 [SC]
427F11FD0FAA4B080123F01CDDFA1A3E36879494
uid [ultimate] Qubes Master Signing Key
❯ gpg --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc'
gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
❯ gpg --check-signatures "Qubes OS Release 4 Signing Key"
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
gpg: 2 good signatures
❯ gpg -k "Qubes OS Release"
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
❯ ls
Qubes-R4.0.4-x86_64.iso Qubes-R4.0.4-x86_64.iso.asc Qubes-R4.0.4-x86_64.iso.DIGESTS
❯ gpg -v --verify Qubes-R4.0.4-x86_64.iso.DIGESTS
gpg: armor header: Hash: SHA256
gpg: original file name=''
gpg: Signature made Thu 04 Mar 2021 07:41:18 PM IST
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]
gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096
❯ gpg -v --verify Qubes-R4.0.4-x86_64.iso.asc Qubes-R4.0.4-x86_64.iso
gpg: Signature made Thu 04 Mar 2021 07:39:55 PM IST
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: BAD signature from "Qubes OS Release 4 Signing Key" [full]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
❯
❯ sha256sum -c Qubes-R4.0.4-x86_64.iso.DIGESTS
Qubes-R4.0.4-x86_64.iso: FAILED
sha256sum: WARNING: 23 lines are improperly formatted
sha256sum: WARNING: 1 computed checksum did NOT match
❯ openssl dgst -sha256 Qubes-R4.0.4-x86_64.iso
SHA256(Qubes-R4.0.4-x86_64.iso)= 494670d745c57dc27ab836c9ac64f5f2f8d07db14c2c475132ec6f0406b3aabb
❯ head Qubes-R4.0.4-x86_64.iso.DIGESTS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
5e37ed0f81e4babc0df322ec19f9d5b4 *Qubes-R4.0.4-x86_64.iso
d6ebe7f8f70d0714a1d36207a6363339abbd3bc0 *Qubes-R4.0.4-x86_64.iso
1d05dbd247d6ea5588879570b74cfb1f8df97e135dbec8714924cc03e8d137b9 *Qubes-R4.0.4-x86_64.iso
6cf020c15636805f63b6c33565bbe155be1b1ad85d67759d674540d07328efa339ff0c35cb3d549d09468f280fe42a160f2c03820212571d02f47b34eb0791f5 *Qubes-R4.0.4-x86_64.iso
-----BEGIN PGP SIGNATURE-----
The DIGESTS signature is valid but, the hashes in it do not match the ISO hashes. This is concerning.
I don’t think i did anything wrong, but happy to be corrected.
Thank you for reading
EDIT: Normal download hash matches and DIGESTS verifies correctly.