Why does my Qubes OS Release Signing Key is still unknown?

Hello,
I know there is an error when verifying the release signing key because of SHA-1. So I’m using the --allow-weak-key-signatures option of gpg and I get the following result:

gpg2 --allow-weak-key-signatures --check-signatures "Qubes OS Release 4 Signing Key"
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid          [ unknown] Qubes OS Release 4 Signing Key
sig!3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig!         DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key

gpg: 2 good signatures

Is it normal that the Qubes OS Release 4 Signing Key is still unknown though? I have imported the Qubes Master Signing Key and it is ultimately trusted:

gpg2 -k "Qubes Master Signing Key"
pub   rsa4096 2010-04-01 [SC]
      427F11FD0FAA4B080123F01CDDFA1A3E36879494
uid          [  ultimate ] Qubes Master Signing Key

It is worrying because when I try to verify the cryptographic hash value of the ISO I get the following warning:

gpg2 -v --verify Qubes-R4.1.0-x86_64.iso.DIGESTS
gpg: Note: RFC4880bis features are enabled.
gpg: armor header: Hash: SHA256
gpg: original file name: ' '
gpg: Signature made Tue 03 Feb 2022 11:44:46 CET
gpg:                using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using PGP trust model
gpg: Good signature from "Qubes OS Release 4 Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Master key fingerprint: 5817 A43B 283D E5A9 181A  522E 1848 792F 9E27 95E9
gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096

Thank you for your help.

I just created my Live USB. Is it safe to use it notwithstanding?

I think the master key has been set as ultimately trusted, but the signing key don’t.

If it don’t, the output should look like this:

gpg2 -k "Qubes OS Release 4 Signing Key"
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [ unknown] Qubes OS Release 4 Signing Key

Hope it helps : )

Hey thank you for your reply.

However it is not indicated in the documentation to manually set the trust level of the Release Signing Key, on the contrary it is said :

Now that you’ve imported the authentic QMSK, set its trust level to “ultimate” so that it can be used to automatically verify all the keys signed by the QMSK (in particular, RSKs).

Now, when you import any of the release signing keys and many Qubes team member keys, they will already be trusted in virtue of being signed by the QMSK.

So, reading this, the RSK I imported should have been automatically recognised as signed by the QMSK which is obviously not the case.

Is it because of the --allow-weak-key-signatures option of gpg or is it really because the ISO I downloaded cannot be trusted?

Correct. The RSK should automatically have the correct trust level in virtue of being signed by the QMSK. You should not have to set the trust level of the RSK directly.

I’m not familiar with that option. The SHA-1 problem should be fixed now, as all keys should be updated now. Could you try again, following the instructions exactly as written?

Thanks.

Indeed the new RSK works fine. I now get the following result:

gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid          [  full ] Qubes OS Release 4 Signing Key
sig!3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig!         DDFA1A3E36879494 2021-11-29  Qubes Master Signing Key

gpg: 2 good signatures

Did you re-sign the RSK with SHA-256 or better?

Not me personally. I think Marek is the one who did it.

I didn’ t know the pgp has this feature. Well, I learned something new today
: D