Verifying release signing key: "gpg error reading key No public key"

empleat · January 13, 2023, 12:09pm

I Am going thought guide from start, I certified QSMK using my private key in Kleopatra on Windows 11. But at step verifying release signing key, using command:

gpg --check-signatures qubes-release-4-signing-key.asc

I get this error:

gpg error reading key No public key

Usually there is public key for this no, but in this case QSMK was supposed to verify that. How come it does not work? There is nothing in between in this guide. Note: i tried put signing key name into quotes also…

Thanks for help!

enmus · January 13, 2023, 4:27pm

adw · January 14, 2023, 3:38am

This probably means it can’t find that keyfile in the same directory in which you’re running the command. If you’ve imported the release signing key, then you should be able to reference it by its ID instead of the filename.

empleat · January 14, 2023, 6:59pm

You mean release signing key? It is in the same directory!

Also can’t fetch it with gpg

gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-release-X-signing-key.asc'
gpg: WARNING: unable to fetch URI https://keys.qubes-os.org/keys/qubes-release-X-signing-key.asc: No data
gpg: key fetch failed: No data

Also can’t import it from file, when run in folder where RSK lies, command:

gpg --keyserver-options no-self-sigs-only,no-import-clean --import ./qubes-release-X-signing-key.asc

output:

gpg: can't open 'qubes-release-X-signing-key.asc': No such file or directory
gpg: Total number processed: 0

I also tried without ./ otherwise i don’t know what command is for exactly…

renehoj · January 14, 2023, 7:07pm

It needs to be https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc

empleat · January 14, 2023, 7:09pm

LOL nice tutorial, i would never expect that, didn’t also mention to change it to a number…

renehoj · January 14, 2023, 7:11pm

It does tell you what to do.

After you have completed these two prerequisite steps, the next step is to obtain the correct RSK. The filename of the RSK for your Qubes OS release is usually qubes-release-X-signing-key.asc , where X is the major version number of your Qubes release. For example, if you were installing release 1.2.3 , you would replace X with 1 , resulting in qubes-release-1-signing-key.asc . There are several ways to get the RSK for your Qubes release.

empleat · January 14, 2023, 7:19pm

Oh I see I have problem reading, I have severe chronic pain…

I have incorrect trust level of release signing key, can you help me please? I dont know what could be wrong!

gpg --check-signatures "Qubes OS Release 4 Signing Key"

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   1  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2025-01-13
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [  undef ] Qubes OS Release 4 Signing Key
sig!3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig!         DDFA1A3E36879494 2021-11-29  Qubes Master Signing Key

gpg: 2 good signatures


//RSK correct trust level:

gpg -k "Qubes OS Release"
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [  undef ] Qubes OS Release 4 Signing Key

EDIT: ok it says full, now i changed QSMK to ultimate trust level. It is for peace of mind anyways

This tutorial is 99% more easier to understand and informative than what i saw, this always used to confuse me, i hate bad tutorials…

Thank you for help!!!

xn0px90 · January 15, 2023, 5:03am

This post was flagged by the community and is temporarily hidden.