Hello.I did import from sec pack and i dont know what i did wrong… But why do i get this now? Two masterkeys with different dates?
There should only be one right? One date?
gpg2 --check-signatures “Qubes OS Release 4 Signing Key”
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2021-11-29 Qubes Master Signing Key ???
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
Why is that? One masterkey should exist, not two dates… Is one fake, or do i just lack the knowledge on how this works… thanks
Also, how do i delete all keys… I must try importing again… This looks wierd… I added the question mars after the bold date… Why two different dates?
edit… this link is the third masterkey then so i updated my topic.
Date: pub rsa4096/DDFA1A3E36879494 created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown [ unknown] (1). Qubes Master Signing Key
three dates… This is very wierd… Explain. Is someone spoofing keys? What’s the original date in qubes masterkeys? One should exist not three, am i right?
also the 2017 version link is relevant…
edit2:
Another thing!!! When i check the key it first says it’s from 2010. Then when i check the qubes os signing key and import it i get another date!! WHY?!!
$ gpg2 --list-sigs “Qubes OS Release 4 Signing Key”
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
sig 3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig DDFA1A3E36879494 2021-11-29 Qubes Master Signing Key (why not 2010, or 2017-03-08? They existed “forever” right? Just use the one from 2010 then…
It changed from 2010 to the suspicious date 2021-11-29…
What is going on here? The devs should be using the 2010 key of-course… right?
Or the 2017-03-08 masterkey version and the 2017-03-06 Qubes OS Release 4 Signing Key version…
Yeah i need to learn pgp… gpg and so on…
gpg2 -k “Qubes Master Signing Key”
pub rsa4096 2010-04-01 [SC]
427F11FD0FAA4B080123F01CDDFA1A3E36879494
uid [ultimate] Qubes Master Signing Key
The last bit says it’s from 2010… Yeah i bet i’m just ignorant. They are probably real, the same key, and safe. I just thought it’s possible to spoof keys. And the date would change then right… Can someone just explain the dates?