Three masterkeys and different dates? Why?

anon42456682 · August 24, 2022, 6:27pm

Hello.I did import from sec pack and i dont know what i did wrong… But why do i get this now? Two masterkeys with different dates?
There should only be one right? One date?

gpg2 --check-signatures “Qubes OS Release 4 Signing Key”
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2021-11-29 Qubes Master Signing Key ???
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key

Why is that? One masterkey should exist, not two dates… Is one fake, or do i just lack the knowledge on how this works… thanks

Also, how do i delete all keys… I must try importing again… This looks wierd… I added the question mars after the bold date… Why two different dates?

edit… this link is the third masterkey then so i updated my topic.

Date: pub rsa4096/DDFA1A3E36879494 created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown [ unknown] (1). Qubes Master Signing Key

three dates… This is very wierd… Explain. Is someone spoofing keys? What’s the original date in qubes masterkeys? One should exist not three, am i right?

also the 2017 version link is relevant…

edit2:
Another thing!!! When i check the key it first says it’s from 2010. Then when i check the qubes os signing key and import it i get another date!! WHY?!!

$ gpg2 --list-sigs “Qubes OS Release 4 Signing Key”
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
sig 3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig DDFA1A3E36879494 2021-11-29 Qubes Master Signing Key (why not 2010, or 2017-03-08? They existed “forever” right? Just use the one from 2010 then…

It changed from 2010 to the suspicious date 2021-11-29…
What is going on here? The devs should be using the 2010 key of-course… right?
Or the 2017-03-08 masterkey version and the 2017-03-06 Qubes OS Release 4 Signing Key version…
Yeah i need to learn pgp… gpg and so on…

gpg2 -k “Qubes Master Signing Key”
pub rsa4096 2010-04-01 [SC]
427F11FD0FAA4B080123F01CDDFA1A3E36879494
uid [ultimate] Qubes Master Signing Key

The last bit says it’s from 2010… Yeah i bet i’m just ignorant. They are probably real, the same key, and safe. I just thought it’s possible to spoof keys. And the date would change then right… Can someone just explain the dates?

adw · August 25, 2022, 2:27am

Please provide the exact, complete, and unaltered commands you’re entering and the exact, complete, and unaltered output you’re receiving. Use the “preformatted text” editing option here on the forum to ensure the text is rendered exactly as it appears in your terminal.

adw · August 25, 2022, 3:20am

Most likely, the 2021-11-29 signature is from when we recently re-signed our PGP keys with better hash functions:

github.com/QubesOS/qubes-issues

Resign all GPG keys with SHA-256 or better

opened 03:33PM - 19 Mar 21 UTC

DemiMarie

C: other P: major T: task crypto security

**Brief summary** Several of the QubesOS developers GPG keys are signed with …SHA-1. SHA-1 is considered weak and should be replaced by SHA-256 or better. This will require resigning the keys. **Additional context** This is a defense in depth task. Since we assume that the GPG keys were honestly generated, finding a different key with the same SHA-1 hash would require a preimage attack, which is not considered feasible.

In general, the date of the signature does not matter as long as (1) the signature is valid, (2) the signing key is authentic, and (3) the signing key has not expired.

Similarly, having additional signatures on a key is not a problem as long as the same three conditions hold for all the signatures you care about. (Remember that anyone can create a key, name it whatever they like, and use it to sign any other public key in their possession.)

anon42456682 · August 25, 2022, 10:34am

Thanks for the answer! What about the other dates then? So others can’t spoof or generate the same signature as the qubes team have or spoof the keys then? So people should not care about the dates then?
Yeah i guess i can trust the keys. Trust issues i assume hehe
But if others recommend Qubes i trust that. Even Edward snowden recommended it i read online, so yeah, i just asked… Got to be skeptical of everything i guess. Peace

adw · August 27, 2022, 11:24am

Depends on which ones you’re referring to. Probably just the key generation date and its own self-signature on the same date, which are totally normal and expected.

Depends on how you define “spoof.” They can create a new key and name it “Qubes Master Signing Key,” but it will not have the same fingerprint as the genuine QMSK.

I refer you to my previous post:

This applies for something like authenticating a Qubes Release Signing Key, where you don’t really care when the RSK was signed, just that it is, in fact, validly signed.

Nonetheless, it would make sense to be suspicious if the date made no sense – for example, if the signing date was one month before the RSK was supposedly created. You should ask questions in such a case. But here we’ve just been discussing more ordinary cases.