On 3/27/21 2:50 AM, Franz wrote:
On Fri, Mar 26, 2021 at 9:10 AM Franz <[email protected]
<mailto:[email protected]>> wrote:
Hello,
everything seems to work fine:
gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
sig! DDFA1A3E36879494 2017-03-08 Qubes Master Signing Key
gpg: 2 good signatures
gpg2 -k "Qubes OS Release"
pub rsa4096 2014-11-19 [SC]
C52261BE0A823221D94CA1D1CB11CA1D03FA5082
uid [ full ] Qubes OS Release 3 Signing Key
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ full ] Qubes OS Release 4 Signing Key
but when I try to verify get unexpected error, even after
downloading two times the files, and even after trying with Fedora
and Debian:
gpg2 -v --verify qubes-release-4-signing-key.asc
Qubes-R4.0.4-x86_64.iso
gpg: verify signatures failed: Unexpected error
I found the problem: I downloaded
Qubes release signing key
rather than
Detached PGP signature
Well frankly, IMO the name of the wrong file seems more appropriate than
the right one.
How is "Detached PGP signature" supposed to be easy to understand? :-)
PGP/GPG basics: Normally when signing a file, the file is changed
(signature appended (basically)). With a detached signature, the signed
file is unchanged, and the signature is a separate "detached" file.
That's a detached signature.
Of course to check a signature you need the signing key as well as the
detached signature.
Detached from what? Well, I am sure it is detached from something, but I
lost hours for nothing and other users may simply avoid verifying the
iso if it is too complicated.
Once there was only one file that could be downloaded. Well I understand
the additional files may have some additional use, but there are a lot
of people that are not interested in that and just need an easy and fast
way to get it going.
So perhaps it may be more appropriate to add to the detached file also
the wording "use this file to follow the Qubes verification tutorial"
Best
Franz
--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAPzH-qA8vf%2BmzbNk7Jtx3geszJ6AGn7FOT8Eyos4qrfgbhgEww%40mail.gmail.com
<https://groups.google.com/d/msgid/qubes-users/CAPzH-qA8vf%2BmzbNk7Jtx3geszJ6AGn7FOT8Eyos4qrfgbhgEww%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/fd0f26c5-d0b7-ce74-f5ef-d0811678fce3%40rz.uni-regensburg.de.
