Qubes Builder untrusted.Expired signing key
24 views
Skip to first unread message
Public Email Account
Apr 19, 2019, 3:36:09 PM4/19/19
to qubes...@googlegroups.com
Hopefully goes through this time.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, April 19, 2019 2:33 PM, Public Email Account <publicthro...@protonmail.com> wrote:
> I try to build Qubes from source.
> Following directions at https://www.qubes-os.org/doc/qubes-iso-building/
>
> Part where it says to do this
>
> git clone git://github.com/QubesOS/qubes-builder.git
> cd qubes-builder
> git tag -v `git describe`
>
> It says it is signed with key gpg: RSA key 063938BA42CFA724
>
> The issue that there is. This key is expired or revoked.
>
> gpg: searching for "063938BA42CFA724" from hkp server keys.gnupg.net
> (1) Marek Marczykowski-Górecki (Qubes OS signing key) <marmarek@invisible
> 4096 bit RSA key 42CFA724, created: 2014-03-05, expires: 2015-03-05 (expired)
>
> I checked with other key servers with the same thing. How can the Qubes Builder script be trusted if it is signed with revoked key?
>
> Am I doing this wrong?
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, April 19, 2019 2:33 PM, Public Email Account <publicthro...@protonmail.com> wrote:
> I try to build Qubes from source.
> Following directions at https://www.qubes-os.org/doc/qubes-iso-building/
>
> Part where it says to do this
>
> git clone git://github.com/QubesOS/qubes-builder.git
> cd qubes-builder
> git tag -v `git describe`
>
> It says it is signed with key gpg: RSA key 063938BA42CFA724
>
> The issue that there is. This key is expired or revoked.
>
> gpg: searching for "063938BA42CFA724" from hkp server keys.gnupg.net
> (1) Marek Marczykowski-Górecki (Qubes OS signing key) <marmarek@invisible
> 4096 bit RSA key 42CFA724, created: 2014-03-05, expires: 2015-03-05 (expired)
>
> I checked with other key servers with the same thing. How can the Qubes Builder script be trusted if it is signed with revoked key?
>
> Am I doing this wrong?
Marek Marczykowski-Górecki
Apr 19, 2019, 5:28:07 PM4/19/19
to Public Email Account, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
That's interesting, I've just downloaded my key from keys.gnupg.net and,
as expected, it doesn't have expiration date.
Anyway, you can download it from here:
https://github.com/QubesOS/qubes-secpack/blob/master/keys/core-devs/marmarek-qubes-code-signing-keys.asc
(the file contains the current key and also past keys, already expired)
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAly6PV8ACgkQ24/THMrX
1yzaMAf9EsZJXPjLYXQyYQhl6XndrwlzR1GDscUdjf3imvf7ZpbcZOvJf3AjMWzd
rQFiCOZxh3vjmj3DiU0pae3afxygQ4srGOoYbIhbQ02zuJWCly6g8gr4uJPMML45
TfEGIUXQ1LsxrrGYFW4wpG5R40f//u3ANR6aBoUpZm5ADCCfvG4X/AKb1MN8Dzfs
cvco01buJCv9GcbXtLzvqdBVB7BNEGMOqJ9Vyrakb3ZQNp2+Np9qhE6xzL0ol3Cv
icyZ4KG4eRESUn2K7CPx7g/HTW+Z2bYzcN9rvAjoxQAZY2M1gBie+nVGjBvRHiBE
FAIQXAA/BDIUAPDRW4aj28qecNSuMw==
=0jaE
-----END PGP SIGNATURE-----
Hash: SHA256
as expected, it doesn't have expiration date.
Anyway, you can download it from here:
https://github.com/QubesOS/qubes-secpack/blob/master/keys/core-devs/marmarek-qubes-code-signing-keys.asc
(the file contains the current key and also past keys, already expired)
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAly6PV8ACgkQ24/THMrX
1yzaMAf9EsZJXPjLYXQyYQhl6XndrwlzR1GDscUdjf3imvf7ZpbcZOvJf3AjMWzd
rQFiCOZxh3vjmj3DiU0pae3afxygQ4srGOoYbIhbQ02zuJWCly6g8gr4uJPMML45
TfEGIUXQ1LsxrrGYFW4wpG5R40f//u3ANR6aBoUpZm5ADCCfvG4X/AKb1MN8Dzfs
cvco01buJCv9GcbXtLzvqdBVB7BNEGMOqJ9Vyrakb3ZQNp2+Np9qhE6xzL0ol3Cv
icyZ4KG4eRESUn2K7CPx7g/HTW+Z2bYzcN9rvAjoxQAZY2M1gBie+nVGjBvRHiBE
FAIQXAA/BDIUAPDRW4aj28qecNSuMw==
=0jaE
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages