When I follow the guide
on https://www.qubes-os.org/security/verifying-signatures/
I get the following result
```
[vagrant@fedora ~]$ gpg2 --check-signatures "Qubes Master Signing Key"
pub rsa4096 2010-04-01 [SC]
427F11FD0FAA4B080123F01CDDFA1A3E36879494
uid [ultimate] Qubes Master Signing Key
sig!3 DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
gpg: 1 good signature
[vagrant@fedora ~]$ gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
pub rsa4096 2017-03-06 [SC]
5817A43B283DE5A9181A522E1848792F9E2795E9
uid [ unknown] Qubes OS Release 4 Signing Key
sig!3 1848792F9E2795E9 2017-03-06 Qubes OS Release 4 Signing Key
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
sig% DDFA1A3E36879494 2017-03-08 [Invalid digest algorithm]
gpg: 1 good signature
gpg: 1 signature not checked due to an error
```
Is it because the master key is old and the old defaults are now
considering too weak?
If so, why not distribute a new one?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/5a43c954-21a7-4aaf-8589-218dc1f911acn%40googlegroups.com.
