Verifying release signing key: "gpg error reading key No public key"

empleat · January 13, 2023, 12:09pm

I Am going thought guide from start, I certified QSMK using my private key in Kleopatra on Windows 11. But at step verifying release signing key, using command:

gpg --check-signatures qubes-release-4-signing-key.asc

I get this error:

gpg error reading key No public key

Usually there is public key for this no, but in this case QSMK was supposed to verify that. How come it does not work? There is nothing in between in this guide. Note: i tried put signing key name into quotes also…

Thanks for help!

enmus · January 13, 2023, 4:27pm

adw · January 14, 2023, 3:38am

This probably means it can’t find that keyfile in the same directory in which you’re running the command. If you’ve imported the release signing key, then you should be able to reference it by its ID instead of the filename.

empleat · January 14, 2023, 6:59pm

You mean release signing key? It is in the same directory!

Also can’t fetch it with gpg

gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-release-X-signing-key.asc'
gpg: WARNING: unable to fetch URI https://keys.qubes-os.org/keys/qubes-release-X-signing-key.asc: No data
gpg: key fetch failed: No data

Also can’t import it from file, when run in folder where RSK lies, command:

gpg --keyserver-options no-self-sigs-only,no-import-clean --import ./qubes-release-X-signing-key.asc

output:

gpg: can't open 'qubes-release-X-signing-key.asc': No such file or directory
gpg: Total number processed: 0

I also tried without ./ otherwise i don’t know what command is for exactly…

renehoj · January 14, 2023, 7:07pm

It needs to be https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc

empleat · January 14, 2023, 7:09pm

LOL nice tutorial, i would never expect that, didn’t also mention to change it to a number…

renehoj · January 14, 2023, 7:11pm

It does tell you what to do.

After you have completed these two prerequisite steps, the next step is to obtain the correct RSK. The filename of the RSK for your Qubes OS release is usually qubes-release-X-signing-key.asc , where X is the major version number of your Qubes release. For example, if you were installing release 1.2.3 , you would replace X with 1 , resulting in qubes-release-1-signing-key.asc . There are several ways to get the RSK for your Qubes release.

empleat · January 14, 2023, 7:19pm

Oh I see I have problem reading, I have severe chronic pain…

I have incorrect trust level of release signing key, can you help me please? I dont know what could be wrong!

gpg --check-signatures "Qubes OS Release 4 Signing Key"

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   1  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2025-01-13
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [  undef ] Qubes OS Release 4 Signing Key
sig!3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig!         DDFA1A3E36879494 2021-11-29  Qubes Master Signing Key

gpg: 2 good signatures


//RSK correct trust level:

gpg -k "Qubes OS Release"
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [  undef ] Qubes OS Release 4 Signing Key

EDIT: ok it says full, now i changed QSMK to ultimate trust level. It is for peace of mind anyways

This tutorial is 99% more easier to understand and informative than what i saw, this always used to confuse me, i hate bad tutorials…

Thank you for help!!!

empleat · May 14, 2023, 9:53am

Hmm doesn’t work anymore, what the heck?

gpg --check-signatures qubes-release-4-signing-key.asc
gpg: error reading key: No public key

I tried like 10 ways and nothing works, i also tried import key and reference to it by id… Or like click very & decrypt but nothing happens, normally Kleopatra offers to search for public key!

Fetching with gpg from keyserver worked!

gpg2 --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-X-signing-key.asc

doesn’t also work when running the command :

gpg2 --check-signatures "Qubes OS Release X Signing Key"

same issue…

NOTE: i am using gpg, not gpg2!!!

Even changing QSMK to trust level didn’t help!!!

Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa4096/DDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC
     trust: ultimate      validity: ultimate
[ultimate] (1). Qubes Master Signing Key

gpg>

But in Kleopatra there is still trust level unknown

adw · May 14, 2023, 8:35pm

You’re trying to reference a key file, but you you need to reference the imported key in your keyring instead.

Because you didn’t replace the “X” with an actual release number. There is no key named “Qubes OS Release X Signing Key” (with a literal “X”) in your keyring. Try “Qubes OS Release 4 Signing Key” instead (assuming you’ve actually imported that key).

empleat · May 14, 2023, 8:50pm

I did this with cd in folder when key file is located.

I also referenced to key by its id, when it was in my key ring, is this what you mean?

Sorry i did that i forget to change here on forums in all hurry, i replaced it with 4.

You can see just above

gpg --check-signatures qubes-release-4-signing-key.asc

EDIT: I thought it could be 4.1.2 first, but it downloads with 4 only for 4.1.2 version

I don’t remember how i solved it unfortunately and i thought i could figure it out next time, or from this post I have severe chronic pain don’t even 1 word…

adw · May 15, 2023, 6:06am

Doesn’t matter. That command doesn’t take files, AFAIK.

Yes. Please show the exact command and output of that not working.

No, that’s trying to reference a file again. The key is not named qubes-release-4-signing-key.asc. That’s the name of a file that contains the data for the key.

It works fine if you reference the key by its actual name or its fingerprint:

$ gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [  full  ] Qubes OS Release 4 Signing Key
sig!3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig!         DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key
sig!         DDFA1A3E36879494 2021-11-29  Qubes Master Signing Key

gpg: 3 good signatures

$ gpg2 --check-signatures 5817A43B283DE5A9181A522E1848792F9E2795E9
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [  full  ] Qubes OS Release 4 Signing Key
sig!3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig!         DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key
sig!         DDFA1A3E36879494 2021-11-29  Qubes Master Signing Key

gpg: 3 good signatures

empleat · May 15, 2023, 9:29am

Right how simple, no joke i can’t even read how severe my pain is, nevertheless need to have this done!

Thank you very much it worked!

Now there is the problem running:

$ gpg -k "Qubes OS Release"

Doesn’t show full trust level!

And this to increase QMSK to ultimate trust level didn’t work unfortunately, i remember something worked in past and that it was this but: https://security.stackexchange.com/questions/129474/how-to-raise-a-key-to-ultimate-trust-on-another-machine

OOOOH OK: I tried yet second solution this time and it worked! Now

$ gpg -k "Qubes OS Release"

After setting QSMK to ultimate trust level, shows full, when running this command:

$ gpg --check-signatures "Qubes OS Release X Signing Key"