3.2 gpg verification works no more
46 views
Skip to first unread message
Franz
Dec 9, 2017, 9:56:57 AM12/9/17
to qubes...@googlegroups.com
I bought a larger SSD and want to reinstall 3.2, but gpg verification no more works.
I have a gpg VM where all this verificaion stuff is already installed and worked for 3.1 and 3.2 in the past, so assumed it should work again for the same task, but no.gpg -v --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
So I suspected it is because developer key lapse after one year and did:
gpg --recv-keys 0xC52261BE0A823221D94CA1D1CB11CA1D03FA5082
as instructed here https://www.qubes-os.org/security/verifying-signatures/
It actually imported one key, but verification gives the same failed result.
Also tried to import the key associated to iso download
[user@gpg iso2]$ gpg --import qubes-release-3-signing-key\(1\).asc
gpg: key 03FA5082: "Qubes OS Release 3 Signing Key" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Finally downloaded the iso again, but same result
Chris Laprise
Dec 9, 2017, 11:36:53 AM12/9/17
to Franz, qubes...@googlegroups.com
signature?
If you think the .iso downloaded incorrectly, first thing to check is
the exact number of bytes with 'ls -l' in case the download stopped
prematurely.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Franz
Dec 9, 2017, 12:37:52 PM12/9/17
to Chris Laprise, qubes...@googlegroups.com
On Sat, Dec 9, 2017 at 1:35 PM, Chris Laprise <tas...@posteo.net> wrote:
Maybe you pasted the key into the .asc file, instead of pasting the signature?On 12/09/2017 09:56 AM, Franz wrote:
I bought a larger SSD and want to reinstall 3.2, but gpg verification no more works.
I have a gpg VM where all this verificaion stuff is already installed and worked for 3.1 and 3.2 in the past, so assumed it should work again for the same task, but no.
For the signature file of the iso, I pasted it into a file called Qubes-R3.2-x86_64.iso.asc
But I get:
gpg -v --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
So I suspected it is because developer key lapse after one year and did:
|gpg --recv-keys 0xC52261BE0A823221D94CA1D1CB11CA1D03FA5082 |
|as instructed here https://www.qubes-os.org/security/verifying-signatures/ It actually imported one key, but verification gives the same failed result. |
|Also tried to import the key associated to iso download [user@gpg iso2]$ gpg --import qubes-release-3-signing-key\(1\).asc gpg: key 03FA5082: "Qubes OS Release 3 Signing Key" not changed gpg: Total number processed: 1 gpg: unchanged: 1 |
|Finally downloaded the iso again, but same result |
this one:
Version: GnuPG v2 iQIcBAABCAAGBQJX4XLxAAoJEMsRyh0D+lCC738P/R35gthUmjr35NqF3foatmF/ UIZ0ggKBXUqlMNaTdl4TosJsExuZw6/YDErgukupHAhPaV22WcBtz+6+ZL6VdmSz /UpBOVxQ2SBFzj7DfVelpWOCp+wp09xf42fxqXvhpZQyj8plbgjJ1glbkd5uM6Dp vDZJWYwxtTujqLxyX2WBSvBWgtpCrhCMYFZHbAHhICQ3iWxr6sPgQhXEh49FuRZU Ksk9OZJmgrQ3ds5hO3HGuSQYUQKEuNlWbTN7dJJQHbPpvS6areaWCIKuIy6M2HwL zP6TbTF+B3F1Se+AwhiSb4rKQgVecgd+lxXc+KqmfNQfIJf/2lK2KxqmWY5O9Idz mtp1w0o8hnJlS6Axn3JAmmipNuCPUVg+a99KV4TL01xbAc35eUkCQi12IwDCiO8Q m0CaFy0xbBImCb2qFt8MNk+qbcIxFI0kML0IwJ4axSdDIrMiLl96Rvso8vEcyuAg CS3SjRxorbltjtb/5CmyMRdSpXzCJ4fY2U8vmqMijtKQCmCs6xJKsexsC/gNaXVO ZoIsMwBwu1a/SThx1zUT4Iq0gyN1P0IxwKIrd2GT+ewBlwo3DfEMaPItYduVqGE2 OGjcxx2J/F7Zn6DH2QSx6o1W25hUNjtRSsWv8udtOK602wjX9AjotRUl5LWriq/P 8sabLZSQ2AWu4Gr1qXAy =qkEl
If you think the .iso downloaded incorrectly, first thing to check is the exact number of bytes with 'ls -l' in case the download stopped prematurely.
I downloaded it two times...
[user@gpg iso2]$ ls -l
total 4147212
-rw-r--r-- 1 user user 4246732800 Dec 9 00:07 Qubes-R3.2-x86_64.iso
-rw-rw-r-- 1 user user 761 Dec 9 10:26 Qubes-R3.2-x86_64.iso.asc
-rw-r--r-- 1 user user 2364 Dec 9 10:41 'qubes-release-3-signing-key(1).asc'
[user@gpg iso2]$ ls -l
total 4147212
-rw-r--r-- 1 user user 4246732800 Dec 9 00:07 Qubes-R3.2-x86_64.iso
-rw-rw-r-- 1 user user 761 Dec 9 10:26 Qubes-R3.2-x86_64.iso.asc
-rw-r--r-- 1 user user 2364 Dec 9 10:41 'qubes-release-3-signing-key(1).asc'
Unman
Dec 9, 2017, 12:52:47 PM12/9/17
to Franz, Chris Laprise, qubes...@googlegroups.com
copying/pasting.
Have you included the BEGIN/END lines?
Franz
Dec 9, 2017, 1:15:34 PM12/9/17
to Unman, Chris Laprise, qubes...@googlegroups.com
Downloading? You do not know how many times I tried to find a link to download a file... It is two days trying that.
But if Unman tells to download it there should be a way. So tried "save link as" and it actually download the file and it worked and verified the iso correctly.
Well but how it is that if I click on PGP key it actually downloades a file, while if click on Signature it opens it? This make things unnecessarily complex. Clicking on Signature should download a file as well. Don'you you think so?
Have you included the BEGIN/END lines?
no, probably that was my error
Anyway many thank Unman and Chris for being always willing to help
Best
Fran
Unman
Dec 9, 2017, 1:39:03 PM12/9/17
to Franz, qubes...@googlegroups.com
the signature as plain text and displays it, but identifies the key as a
detached signature (!!), which it offers to download - note that it is
probably identified as text and you will be offered the option to open
it in a text editor.
Browser handling of different file types is quite interesting.
In this case I suspect that the difference in Version numbers on the
key and signature makes the difference.
Reply all
Reply to author
Forward
0 new messages