Three masterkeys and different dates? Why?

Hello.I did import from sec pack and i dont know what i did wrong… But why do i get this now? Two masterkeys with different dates?
There should only be one right? One date?

gpg2 --check-signatures “Qubes OS Release 4 Signing Key”
pub rsa4096 2017-03-06 [SC]
uid [ full ] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2021-11-29 Qubes Master Signing Key ???
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key

Why is that? One masterkey should exist, not two dates… Is one fake, or do i just lack the knowledge on how this works… thanks

Also, how do i delete all keys… I must try importing again… This looks wierd… I added the question mars after the bold date… Why two different dates?

edit… this link is the third masterkey then so i updated my topic.

Date: pub rsa4096/DDFA1A3E36879494 created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown [ unknown] (1). Qubes Master Signing Key

three dates… This is very wierd… Explain. Is someone spoofing keys? What’s the original date in qubes masterkeys? One should exist not three, am i right?

also the 2017 version link is relevant…

Another thing!!! When i check the key it first says it’s from 2010. Then when i check the qubes os signing key and import it i get another date!! WHY?!!

$ gpg2 --list-sigs “Qubes OS Release 4 Signing Key”
pub rsa4096 2017-03-06 [SC]
uid [ full ] Qubes OS Release 4 Signing Key
sig 3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig DDFA1A3E36879494 2021-11-29 Qubes Master Signing Key (why not 2010, or 2017-03-08? They existed “forever” right? Just use the one from 2010 then…

It changed from 2010 to the suspicious date 2021-11-29…
What is going on here? The devs should be using the 2010 key of-course… right?
Or the 2017-03-08 masterkey version and the 2017-03-06 Qubes OS Release 4 Signing Key version…
Yeah i need to learn pgp… gpg and so on…

gpg2 -k “Qubes Master Signing Key”
pub rsa4096 2010-04-01 [SC]
uid [ultimate] Qubes Master Signing Key

The last bit says it’s from 2010… Yeah i bet i’m just ignorant. They are probably real, the same key, and safe. I just thought it’s possible to spoof keys. And the date would change then right… Can someone just explain the dates?

Please provide the exact, complete, and unaltered commands you’re entering and the exact, complete, and unaltered output you’re receiving. Use the “preformatted text” editing option here on the forum to ensure the text is rendered exactly as it appears in your terminal.

Most likely, the 2021-11-29 signature is from when we recently re-signed our PGP keys with better hash functions:

In general, the date of the signature does not matter as long as (1) the signature is valid, (2) the signing key is authentic, and (3) the signing key has not expired.

Similarly, having additional signatures on a key is not a problem as long as the same three conditions hold for all the signatures you care about. (Remember that anyone can create a key, name it whatever they like, and use it to sign any other public key in their possession.)

1 Like

Thanks for the answer! What about the other dates then? So others can’t spoof or generate the same signature as the qubes team have or spoof the keys then? So people should not care about the dates then?
Yeah i guess i can trust the keys. :slight_smile: Trust issues i assume hehe
But if others recommend Qubes i trust that. Even Edward snowden recommended it i read online, so yeah, i just asked… Got to be skeptical of everything i guess. Peace

Depends on which ones you’re referring to. Probably just the key generation date and its own self-signature on the same date, which are totally normal and expected.

Depends on how you define “spoof.” They can create a new key and name it “Qubes Master Signing Key,” but it will not have the same fingerprint as the genuine QMSK.

I refer you to my previous post:

This applies for something like authenticating a Qubes Release Signing Key, where you don’t really care when the RSK was signed, just that it is, in fact, validly signed.

Nonetheless, it would make sense to be suspicious if the date made no sense – for example, if the signing date was one month before the RSK was supposedly created. You should ask questions in such a case. But here we’ve just been discussing more ordinary cases.

1 Like