Verifying Qubes 4.1 weekly builds

The following discussion is about how to verify the weekly 4.1 Qubes builds signed by @fepitre. Please read the following post where these weekly builds were originally announced:

hello Frédéric. thx for your contributions. a problem i encounter is that i am aware the process to verify regular qubes signature with signing key files but with .digests and .asc from Index of /qubes/iso/ i am not certain what the course of movement would be to verify the iso with this plain text. should the plain text be converted and saved to some type of file verify? i have checked the verifying signatures help page from qubes but i have not found the guidance when what to do with plain text pgp signtures.

one more inquiry- when you talk about “Due to recent troubles with kernels 5.4.X and 5.10.X, I’ve decided to add again to this weekly pipeline, the build of a fresh Qubes R4.1 ISO. I don’t build any package or any template. It uses only Qubes OS repositories.” this is meaning that the build will not include items like debian fedora or whonix template? is it with the links you provide we will be able to download these templates? are these the only packages missing to make a complete build? i apologize for the simplistic questions. i am new to the qubes community and my development background is in entirely different fields. as you know my english is not excellent as well. eagerly excited to testing R4.1. thx.

Take a look at Verifying Signatures | Qubes OS and Verifying Signatures | Qubes OS. You would need to add my bot’s key to your set of trusted keys.

The ISO includes everything as a standard Qubes ISO. I simply pick every packages and templates from Qubes repositories directly instead of rebuilding the whole!

i am getting a return of gpg: Can't check signature: No public key. i am knowing how to do this with the typical qubes downloads from main download page. please check my log to tell me where my mistake must be.

mashka@ubuntu:~/Downloads$ gpg2 --import ./qubes-master-signing-key.asc
gpg: key 0xDDFA1A3E36879494: "Qubes Master Signing Key" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
mashka@ubuntu:~/Downloads$ gpg2 --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/0xDDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
[ultimate] (1). Qubes Master Signing Key

gpg> fpr
pub   rsa4096/0xDDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
 Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

gpg> trust
pub  rsa4096/0xDDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
[ultimate] (1). Qubes Master Signing Key

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa4096/0xDDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
[ultimate] (1). Qubes Master Signing Key

gpg> q
mashka@ubuntu:~/Downloads$ gpg2 -k "Qubes Master Signing Key"
pub   rsa4096/0xDDFA1A3E36879494 2010-04-01 [SC]
      Key fingerprint = 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
uid                   [ultimate] Qubes Master Signing Key

mashka@ubuntu:~/Downloads$ gpg2 --keyserver-options no-self-sigs-only,no-import-clean --import ./qubes-release-4-signing-key.asc
gpg: key 0x1848792F9E2795E9: "Qubes OS Release 4 Signing Key" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
mashka@ubuntu:~/Downloads$ gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
pub   rsa4096/0x1848792F9E2795E9 2017-03-06 [SC]
      Key fingerprint = 5817 A43B 283D E5A9 181A  522E 1848 792F 9E27 95E9
uid                   [  full  ] Qubes OS Release 4 Signing Key
sig!3        0x1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig!         0xDDFA1A3E36879494 2017-03-08  Qubes Master Signing Key

gpg: 2 good signatures
mashka@ubuntu:~/Downloads$ gpg2 -k "Qubes OS Release"
pub   rsa4096/0x1848792F9E2795E9 2017-03-06 [SC]
      Key fingerprint = 5817 A43B 283D E5A9 181A  522E 1848 792F 9E27 95E9
uid                   [  full  ] Qubes OS Release 4 Signing Key
mashka@ubuntu:~/Downloads$ gpg2 -v --verify Qubes-20210410-x86_64.iso.asc Qubes-20210410-x86_64.iso
gpg: Signature made Sat 10 Apr 2021 04:53:28 AM UTC
gpg:                using RSA key 1C8714D640F30457EC953050656946BA873DDEC1
gpg: Can't check signature: No public key

Hi.

Not an expert on this, but I think you are assuming the isos are signed by the qubes master signing key.
As fepitre said in the inicial post:
“The ISOs are signed by “fepitre-bot” 1C8714D640F30457EC953050656946BA873DDEC1.”

Unfortunately, I am having a similar problem when I try to verify the ISO with the fepitre-bot key. So, can’t help more.

[user@disp1379 builds]$ ll
total 5281804
-rw-rw-r-- 1 user user 5408555008 Apr 10 06:52 Qubes-20210410-x86_64.iso
-rw-rw-r-- 1 user user       1259 Apr 10 06:58 Qubes-20210410-x86_64.iso.DIGESTS
-rw-rw-r-- 1 user user        833 Apr 10 06:53 Qubes-20210410-x86_64.iso.asc
[user@disp1379 builds]$ gpg --recv-keys 1C8714D640F30457EC953050656946BA873DDEC1
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 656946BA873DDEC1: public key "fepitre-bot <fepitre-bot@qubes-os.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
[user@disp1379 builds]$ gpg -v --verify Qubes-20210410-x86_64.iso.asc Qubes-20210410-x86_64.iso
gpg: Signature made Sat Apr 10 06:53:28 2021 CEST
gpg:                using RSA key 1C8714D640F30457EC953050656946BA873DDEC1
gpg: using pgp trust model
gpg: Good signature from "fepitre-bot <fepitre-bot@qubes-os.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1C87 14D6 40F3 0457 EC95  3050 6569 46BA 873D DEC1
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
[user@disp1379 builds]$ sha512sum -c Qubes-20210410-x86_64.iso.DIGESTS 
Qubes-20210410-x86_64.iso: OK
sha512sum: WARNING: 23 lines are improperly formatted

Hope that helps.

1 Like

i believe what is missing is importation from keyserver. the error i receive is the below logs.

mashka@ubuntu:~/Downloads$ gpg --recv-keys 1C8714D640F30457EC953050656946BA873DDEC1
gpg: key 0x656946BA873DDEC1: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
mashka@ubuntu:~/Downloads$ gpg -v --verify Qubes-20210410-x86_64.iso.asc Qubes-20210410-x86_64.iso
gpg: Signature made Sat 10 Apr 2021 04:53:28 AM UTC
gpg:                using RSA key 1C8714D640F30457EC953050656946BA873DDEC1
gpg: Can't check signature: No public key

You probably need to change the keyserver. For example: gpg --keyserver keys.gnupg.net --recv-keys 1C8714D640F30457EC953050656946BA873DDEC1

any method to download the key as a file an import it manually without pulling it through terminal? doesnt it come from qubes server?

mashka@ubuntu:~/Downloads$ gpg --keyserver keys.gnupg.net --recv-keys 1C8714D640F30457EC953050656946BA873DDEC1
gpg: keyserver receive failed: Server indicated a failure

will report shortly if the issue has again peristed and if your solution was successful.

Sorry I cannot do that much for that. You can find the plain text key here: https://qubes.notset.fr/repo/notset/RPM-GPG-KEY-notset

1 Like

i believe this has succeeded if you will confirm this is success as i do see “Good signature”. thx @fepitre. it could have potential for @deeplow to branch this post for helping others look to verify and test 4.1 weekly builds.

mashka@ubuntu:~/Downloads$ gpg --recv-keys 1C8714D640F30457EC953050656946BA873DDEC1
gpg: key 0x656946BA873DDEC1: "fepitre-bot <fepitre-bot@qubes-os.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
mashka@ubuntu:~/Downloads$ gpg -v --verify Qubes-20210410-x86_64.iso.asc Qubes-20210410-x86_64.iso
gpg: Signature made Sat 10 Apr 2021 04:53:28 AM UTC
gpg:                using RSA key 1C8714D640F30457EC953050656946BA873DDEC1
gpg: using pgp trust model
gpg: Good signature from "fepitre-bot <fepitre-bot@qubes-os.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1C87 14D6 40F3 0457 EC95  3050 6569 46BA 873D DEC1
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096

Split! :slight_smile:

Thanks for the pointer @mash. As a moderator having users hint us at when topics should be split is very useful as sometimes it’s hard to have this level of attention when scrapping through all the latest posts.

1 Like

would another persons be willing to approve or deny if this is the result i should be seeking despite of the

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This is a standard warning because my key is not signed by someone else or ultimately trusted as you can see the same message on my previous post.

1 Like

trust set to 5 and warning removed. thx