Signing keys

so I’ve tried various iterations, why not give an example?

$ gpg2 --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys

for X everything just says “no data retreived”, I’m aware I can get it on the d/l’s site but …

  1. " Every Qubes OS release is signed by a release signing key (RSK) , which is in turn signed by the Qubes Master Signing Key (QMSK)."

…however, I’m noticing from the d/l’s page the 4.1rc1 key is the same as the 4.0.4 release key? is that right?

  1. lastly , this is also failing
gpg2 --check-signatures "Qubes OS Release X Signing Key"

replacing X with 4.0.1-rc1 and/or using the actual .asc also saying “no public key”

despite having imported it successfully enough, again if there were an example of the commands at the top of the wiki, as there is for template updates etc, sure might help

seems ```
gpg2 --check-signatures “Qubes OS Release 4 Signing Key”

was the solution

We’ve tried example commands before. The problem is that people will just copy/paste them without changing the “4” (when what they need is a different number) and complain that they don’t work. This means we have to go through and update every example in the documentation every time a version number changes. Unfortunately we don’t have enough documentation editors to feasibly do this.

However, I’ll try adding some more text to make it clearer for those who aren’t familiar with the term “major version number.”

Or, you can automatically take this number from the main page, where it says “Download & Install Version X.yz”

Unfortunately, it’s not that simple. The number in that button is edited/updated manually. In order for this to be automatic, we would have to declare some kind of global variable, then reference that variable everywhere we wanted the release number to be updated automatically. We could do that, but then the source would be much harder to read (and unintelligible for readers who don’t know where to look up the value of the variable), and most doc authors/editors wouldn’t know to use the variable, so we’d have an inconsistent mix of hardcoded release values and variables.

1 Like
gpg2 --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys
gpg: requesting key from ''
gpg: WARNING: unable to fetch URI No data

From Verifying signatures | Qubes OS

Well i see that i need to change X after registering here and starting reading.
Cant new solution made? Like pasting list of each version examples if not even script offering what version to sign and check? Cant same signer be for all versions?

Where do i see correct url? This needs to be added.

How do i edit line to match correct url?

Ah, only 4. Can X be made with color difference to see to change it in link faq?

And now good signature, but no proof that its real owner signature.

gpg2 -v --verify Qubes-R4.1.0-rc2-x86_64.iso.DIGESTS
gpg: armor header: Hash: SHA256
gpg: original file name=''
gpg: Signature made Mon 15 Nov 2021 05:29:59 AM UTC
gpg:                using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: Good signature from "Qubes OS Release 4 Signing Key" [unknown]
**gpg: WARNING: This key is not certified with a trusted signature!**
**gpg:          There is no indication that the signature belongs to the owner.**
Primary key fingerprint: 5817 A43B 283D E5A9 181A  522E 1848 792F 9E27 95E9
gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096