Signature verification issues with qvm-template

$ qvm-template install qubes-template-whonix-gw-16-4.0.6-202211291224.noarch.rpm
ERROR: Signature verification failed: -: digests SIGNATURES NOT OK
$ qvm-template install qubes-template-whonix-ws-16-4.0.6-202211291224.noarch.rpm
ERROR: Signature verification failed: -: digests SIGNATURES NOT OK

$ sha256sum *who*rpm
4624e02437bdf8168dcb43b551207c6f840dd6cc3f5388622c4d6927b34e9591  qubes-template-whonix-gw-16-4.0.6-202211291224.noarch.rpm
2fc47e7aa1d90d2959d1f7c4264a2d8017ee0e00eff4d699576578b0f913d6af  qubes-template-whonix-ws-16-4.0.6-202211291224.noarch.rpm

dnf / rpm will install the packages, but then these commands fail:

sudo qubesctl state.sls qvm.anon-whonix
sudo qubesctl state.sls qvm.whonix-ws-dvm

I need to use local packages to install (in the case of slow internet connections) so installing with a download isn’t practical.

Strangely, if I reboot after installing the RPMs and then run the salt commands it builds a working dvm config as expected.

For templates downloaded manually from the community[-testing] repo, use:

$ qvm-template --keyring=/etc/qubes/repo-templates/keys/RPM-GPG-KEY-qubes-4.1-templates-community install ...
1 Like

Thanks for solution, is there anywhere I can submit a pull request to the docs?

1 Like

Hmm I don’t see any user facing qvm-template documentation on the website, but the install section of its manpage looks like a good place to mention this gotcha.

There’s also an error in the manpage, since it suggests that
--keyring is used to specify the directory containing keys, whereas it
is actually used to specify the key to be used.