Bad GPG sig on R3.2 release

[jordan.r...@gmail.com]

I am a first-time Qubes user, and was about to install the latest (3.2) from qubes-os.org. Verifying the ISO with the Release 3 signing key looks good. The SHA256 sum of the ISO matches the sum in the digest file. But the digest file itself fails GPG verification (against the release 3 key). The 3.1 digest file does not.

I was hoping someone else could check the 3.2 digests file as downloaded from https://www.qubes-os.org/downloads/, and see if it's got a bad GPG sig or if it's just me.

[raah...@gmail.com]

worked for me

gpg -v --verify Qubes-R3.2-x86_64.iso.DIGESTS
gpg: armor header: Hash: SHA256
gpg: armor header: Version: GnuPG v2
gpg: original file name=''
gpg: Signature made Tue 20 Sep 2016 01:37:03 PM EDT using RSA key ID 03FA5082
gpg: using PGP trust model
gpg: Good signature from "Qubes OS Release 3 Signing Key"
gpg: textmode signature, digest algorithm SHA256

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Same here:

$ gpg2 -v --verify Qubes-R3.2-x86_64.iso.DIGESTS

gpg: armor header: Hash: SHA256
gpg: armor header: Version: GnuPG v2
gpg: original file name=''

gpg: Signature made 2016-09-20T10:37:03 PDT using RSA key ID CB11CA1D03FA5082
gpg: using pgp trust model
gpg: checking the trustdb
gpg: 2 keys processed (3 validity counts cleared)
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: Note: signature key 96ED3C3BA19C3DEE expired 2016-12-02T01:58:03 PST
gpg: Note: signature key 99AB06246EEBF5A8 expired 2016-07-02T16:01:41 PDT
gpg: Note: signature key 8B93CC3E77A1C5EA expired 2017-01-11T12:58:24 PST
gpg: Note: signature key 94A6A0746A70BAB8 expired 2017-01-11T12:58:24 PST
gpg: Note: signature key EE570349A603BCB6 expired 2014-03-05T16:00:28 PST
gpg: Note: signature key 00B2859B10210515 expired 2015-08-22T03:32:16 PDT
gpg: depth: 0 valid: 2 signed: 10 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Note: signature key 96ED3C3BA19C3DEE expired 2016-12-02T01:58:03 PST
gpg: Note: signature key 00B2859B10210515 expired 2015-08-22T03:32:16 PDT
gpg: depth: 1 valid: 10 signed: 0 trust: 10-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "Qubes OS Release 3 Signing Key" [full]
gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYdxblAAoJENtN07w5UDAwhegQAI5Ltdk0fQiDlB1DPxCHcX9C
y3A4CGxjYAGJnyFkFPwSTDkSxdkr3NZTn3LBdMzSy9KZSPjRMvoLSZ1WKaUZgr5U
Ql6QaTU5x+C3rikIADgFNUqA8oOxb7/BoN0vXmRarIPQqjNArxNil72e/jXw80hB
9Oe1jjlWcL+Rj/O6QhM/S/yyrNjWgYvMdvsgDwlKQ//2Aq5TFmXqigONqKDFWZX5
i/9P6KCj6fyhWEzcZzWfNhvA0RzRXGUvuzG3Zu4EvxA+ury+cmiSBAjPFn0VzBeU
k8ZZAv1UKfAJS+e/FMhT8MSMavg5QgjHgoJ4CWVUX6n5t95zCXyH7dkSn8dWtXTX
kLKNeMC1KM8JOsQShpUpnhtURGik2KJnr8Wf72uv/R/ivxLd6iYLMcGUG5wPd9jI
9K4jwmAwzoh0xRKn1T9eGXlPqpNSBM4Gq3Xr5GMHaTlE4xG1l7LszPNgu9/YmouP
Bw98V4zlDUweNKgME2qJ8oOzdI+7t9jky2uGGc/KCebjn8hkeoWhvqFzqXXkEDgi
mkl25SKu9FisikoG+K0odfVyOK76Z/AXcQouYKdIpNd5COp+uWAqcuZYr73arN8t
Lg9aY9Kg20jFd7RvmB4RjfFEDxxR5aiH2gV8DN7QkpxyTV1p6VpBFEnThYEdb6Qk
PWanayi9GlE5upUV/1sK
=YuRt
-----END PGP SIGNATURE-----

[jordan.r...@gmail.com]

Okay, nevermind, I got it verified from the command line. Thanks guys!

I am using GPG Tools for Mac, and I think its "Verify" command from the Finder context menu tried to parse the digests file as a list of signatures - the output looks like it was verifying the ISO, not the digests file itself.