-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-06-18 19:54,
vwic...@use.startmail.com wrote:
> Hello, I have a question about a downloaded .iso verification.
>
> A good .iso signature is verified and hash and digest verifications
> are good however on the "--list sig" command, there was a second
> sig 3, 0x4BD7C4EEE2986940 2016-01-04 [User ID not found].
>
> Upon requesting the public key I received, key 0x4BD7C4EEE2986940:
> public key "Kabine Diane <
kab...@me.com>.
>
> A"--list sig" command of that key shows as revoked. Please see
> below.
>
> This doesn't seem to be the desired output. Have I missed
> something? Any help with this would be appreciated as I don't want
> to load a compromised .iso. Thanks
>
It sounds like you may be confused about how PGP works. The
`--list-sigs` option simply lists the signatures on a key or keys.
Anyone can sign anyone else's public key and upload the signed public
key to keyservers. We couldn't stop that even if we wanted to. That's
just the nature of PGP. Everyone is also free to revoke their own keys
at any time (assuming they possess or can create a revocation
certificate).
So, what happened here is that someone created a key
(0x4BD7C4EEE2986940), added the uid "Kabine Diane <
kab...@me.com>"
(which may or may not be the key creator's real identity), used the
key to sign the Qubes OS Release 3 Signing Key, then revoked their key.
Since we don't know anything about this revoked key, this tells us
exactly nothing about the trustworthiness of the Qubes OS Release 3
Signing Key.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXZqn0AAoJENtN07w5UDAwmhMQAItKuZSYH4SA0sGncVd4BRpZ
KBwVtJnBkYeaqTRgQuGilfKxEpKyD8k5do0KIvydma3hnXOVji6KtrHkZnh1F+A+
ux00ZgCmBW6owpzgSIC7/uXwws4+6zx+ZiKQrUNZnRAFoW5VhVwGahq8DoSj58ZI
6SHkZ4YaVs24GNvJpL2r5YF4cryYl4wwtbXQFZhCAMtRQxP3ocpFvb+ItBO/k+p/
C0tbtkenDuh2SFyG2olfjsc1Kimc1mENd3IY80OU8qOy1Siz2ZJuXBLF6G7U54dX
2i3kzU+EvQjg/BMTxkQdoTOWEm52SqUywRUf5/F3Ss++lggwnFEUXOpTOZ8cT2YN
rrWIvWtAVvLYfcguvve2iOW2gfY3fuQf/qJZjq1QM9nGHI1QRaN8a8dCb4nEFEki
a3RCIApfZc8xfHaeWuJHMCBczyGeIqZWF3o1HXhZthCtiueopUWt/krlCjsJo8Z6
FjibgFzQo6kVzOgE7LH50OG2fJgvnE+L1vUCNFKmWuls3wf9Zd03HbJR3NfPDY7R
4wgEX2xHsmAG5dprWmx6dl49Z/cNrws1gR5yT5ZIxm9viyZa6Gdwez7TIMN6shm5
HYF2YObDfHdZxh1qa8YNNjOOmoDwtNEFCj+XqwGJgzBe6Fz4n9zTeeeFwYbpUXen
beqYK4dywf/38njOffIx
=khGR
-----END PGP SIGNATURE-----