When I ran gpg2 --check-signatures on the Qubes 4.2 RSK (which seems to be the same at both GitHub and the Qubes Keyserver, I only saw one signature (which seems like the key signing itself), and I don’t see any mention of the QMSK. Does anyone have a version of the RSK 4.2 that was signed by the QMSK? Or how else am I supposed to trust the RSK (without implicitly trusting the infrastructure)?
The 4.2 RSK is properly signed by the QMSK. It sounds like you might have missed a step. Are you sure you imported both the QMSK and the RSK into your keyring?
Can you share your exact terminal input and output? That’ll make it easy to spot the problem.
Terminal export can be found at cl1p.net - The internet clipboard
Note that I also tried importing the key from the Qubes Keyserver (linked in OP), but that didn’t work either.
That’s strange. I’m not sure why it’s not working for you, but I just tested the instructions from the documentation in a fresh disposable, and it still works for me as expected:
user@disp3088:~$ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported
gpg: Total number processed: 1
gpg: imported: 1
user@disp3088:~$ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
gpg> fpr
pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
gpg> trust
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: ultimate validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> q
user@disp3088:~$ gpg --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc'
gpg: key E022E58F8E34D89F: public key "Qubes OS Release 4.2 Signing Key" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
user@disp3088:~$ gpg --check-signatures "Qubes OS Release 4.2 Signing Key"
pub rsa4096 2022-10-04 [SC]
9C884DF3F81064A569A4A9FAE022E58F8E34D89F
uid [ full ] Qubes OS Release 4.2 Signing Key
sig!3 E022E58F8E34D89F 2022-10-04 Qubes OS Release 4.2 Signing Key
sig! DDFA1A3E36879494 2023-06-03 Qubes Master Signing Key
gpg: 2 good signatures
user@disp3088:~$ gpg -v --verify Qubes-R4.2.0-x86_64.iso.DIGESTS
gpg: armor header: Hash: SHA256
gpg: original file name=''
gpg: Signature made Sun 17 Dec 2023 10:35:48 AM PST
gpg: using RSA key 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
gpg: using pgp trust model
gpg: Good signature from "Qubes OS Release 4.2 Signing Key" [full]
gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096
Yup, that’s exactly what I needed. Which means this thread is now a request to include the QMSK signature inside the version that gets stored in dom0 (unless this is already the case in 4.2).
Does anyone who already has 4.2 know if release keys stored in dom0:/etc/pki/rpm-gpg/ are signed by QMSK?
What was “exactly what I needed”? no-self-sigs-only ? That’s included
in the docs.
Your key had trust unknown.
Following the doc, you get key with Full trust?
He is saying that the keyfile RPM-GPG-KEY-qubes-4.2-primary, which is already in dom0, does not have the QMSK’s signature. I have just tested this (on 4.1), and it seems to be true. Even if you import it with --keyserver-options no-self-sigs-only,no-import-clean, there is still no signature from the QMSK on the 4.2 RSK.