Unexpected results when checking signature of release signing key

bkgrrl00 · October 5, 2024, 8:35pm

I’m trying to create a bootable USB for the latest QubesOS release, but I’m getting unexpected results when I attempt to check the signature of the release signing key.

These are the instructions posted on the Qubes website:

$ gpg2 --check-signatures "Qubes OS Release X Signing Key"
pub
rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid
[ full ] Qubes OS Release X Signing Key
sig!3
1848792F9E2795E9 2017-03-06 Qubes OS Release X Signing Key
sig!
DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
gpg: 2 good signatures

But this is what I got:

$ gpg2 --check-signatures "Qubes OS Release 4.2 Signing Key"
pub   rsa4096 2022-10-04 [SC]
      9C884DF3F81064A569A4A9FAE022E58F8E34D89F
uid           [  full  ] Qubes OS Release 4.2 Signing Key
sig!3        E022E58F8E34D89F 2022-10-04  Qubes OS Release 4.2 Signing Key
sig!         DDFA1A3E36879494 2023-06-03  Qubes Master Signing Key

gpg: 2 good signatures

These are the instructions posted on the Qubes website:

$ gpg2 -k "Qubes OS Release"
pub
rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid
[ full ] Qubes OS Release X Signing Key

But this is what I got:

$ gpg2 -k "Qubes OS Release"
pub   rsa4096 2022-10-04 [SC]
      9C884DF3F81064A569A4A9FAE022E58F8E34D89F
uid           [  full  ] Qubes OS Release 4.2 Signing Key

apparatus · October 6, 2024, 4:23am

Everything looks fine and according to the documentation.
What’s unexpected?

The filename pattern for RSKs is qubes-release-X-signing-key.asc, where X is either a major or minor Qubes release number, such as 4 or 4.2.

This is just an example, so the output you receive may not look exactly the same. What matters is the line with a sig! prefix showing that the QMSK has signed this key. This verifies the authenticity of the RSK. Note that the ! flag after the sig tag is important because it means that the key signature is valid. A sig- prefix would indicate a bad signature, and sig% would mean that gpg encountered an error while verifying the signature. It is not necessary to independently verify the authenticity of the RSK, since you already verified the authenticity of the QMSK.

Sks · October 6, 2024, 7:56am

@apparatus is right the output may not be tge same, if the sig! Prefix is signed by the qubes master signing key it is legit.

adw · October 6, 2024, 11:17am

github.com/QubesOS/qubes-doc

Replace RSK attributes in examples with variables

committed 11:06AM - 06 Oct 24 UTC

andrewdavidwong

+11 -11

Users keep getting confused because their output doesn't match the examples, eve…n though the text already says, "This is just an example, so the output you receive may not look exactly the same." Recent examples of this: - https://www.reddit.com/r/Qubes/comments/1f2b221/ - https://forum.qubes-os.org/t/29384 Specifically, users seem to get confused because their RSK has a different date and key ID than the one in the example (which makes sense, because RSKs change with each release), so replacing these specific values with variables may avert some confusion.

bkgrrl00 · October 6, 2024, 1:38pm

Thanks to @apparatus and @Sks for clarifying.

I agree with @adw that the documentation should be revised to indicate that the actual output will be different.