Signing keys

so I’ve tried various iterations, why not give an example?

$ gpg2 --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-X-signing-key.asc

for X everything just says “no data retreived”, I’m aware I can get it on the d/l’s site but …

https://www.qubes-os.org/security/verifying-signatures/

  1. " Every Qubes OS release is signed by a release signing key (RSK) , which is in turn signed by the Qubes Master Signing Key (QMSK)."

…however, I’m noticing from the d/l’s page the 4.1rc1 key is the same as the 4.0.4 release key? is that right?

  1. lastly , this is also failing
gpg2 --check-signatures "Qubes OS Release X Signing Key"

replacing X with 4.0.1-rc1 and/or using the actual .asc also saying “no public key”

despite having imported it successfully enough, again if there were an example of the commands at the top of the wiki, as there is for template updates etc, sure might help

seems ```
gpg2 --check-signatures “Qubes OS Release 4 Signing Key”

was the solution

We’ve tried example commands before. The problem is that people will just copy/paste them without changing the “4” (when what they need is a different number) and complain that they don’t work. This means we have to go through and update every example in the documentation every time a version number changes. Unfortunately we don’t have enough documentation editors to feasibly do this.

However, I’ll try adding some more text to make it clearer for those who aren’t familiar with the term “major version number.”

Or, you can automatically take this number from the main page, where it says “Download & Install Version X.yz”

Unfortunately, it’s not that simple. The number in that button is edited/updated manually. In order for this to be automatic, we would have to declare some kind of global variable, then reference that variable everywhere we wanted the release number to be updated automatically. We could do that, but then the source would be much harder to read (and unintelligible for readers who don’t know where to look up the value of the variable), and most doc authors/editors wouldn’t know to use the variable, so we’d have an inconsistent mix of hardcoded release values and variables.

1 Like