qubes release signing keys: move qubes-4.key to qubes-4.1.key, add qubes-4.2.key #1512

tlaurion · 2023-10-18T17:49:19Z

Repro traces, based on notes from #1296

user@heads-tests-deb12:/$ mkdir /tmp/q42sig
user@heads-tests-deb12:/$ cd /tmp/q42sig
user@heads-tests-deb12:/tmp/q42sig$ wget https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc
--2023-10-18 13:31:56--  https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc
Resolving keys.qubes-os.org (keys.qubes-os.org)... 147.75.102.29, 2604:1380:4601:c500::1
Connecting to keys.qubes-os.org (keys.qubes-os.org)|147.75.102.29|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2415 (2.4K) [application/octet-stream]
Saving to: ‘qubes-release-4.2-signing-key.asc’

qubes-release-4.2-signing-key.asc     100%[=======================================================================>]   2.36K  --.-KB/s    in 0s      

2023-10-18 13:31:56 (16.1 MB/s) - ‘qubes-release-4.2-signing-key.asc’ saved [2415/2415]

user@heads-tests-deb12:/tmp/q42sig$ gpg --home /tmp/q42sig --import qubes-release-4.2-signing-key.asc 
gpg: WARNING: unsafe permissions on homedir '/tmp/q42sig'
gpg: keybox '/tmp/q42sig/pubring.kbx' created
gpg: key E022E58F8E34D89F: 1 signature not checked due to a missing key
gpg: /tmp/q42sig/trustdb.gpg: trustdb created
gpg: key E022E58F8E34D89F: public key "Qubes OS Release 4.2 Signing Key" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
user@heads-tests-deb12:/tmp/q42sig$ gpg --home /tmp/q42sig --edit-key E022E58F8E34D89F
gpg: WARNING: unsafe permissions on homedir '/tmp/q42sig'
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/E022E58F8E34D89F
     created: 2022-10-04  expires: never       usage: SC  
     trust: unknown       validity: unknown
[ unknown] (1). Qubes OS Release 4.2 Signing Key

gpg> minimize
User ID "Qubes OS Release 4.2 Signing Key": 1 signature removed

pub  rsa4096/E022E58F8E34D89F
     created: 2022-10-04  expires: never       usage: SC  
     trust: unknown       validity: unknown
[ unknown] (1). Qubes OS Release 4.2 Signing Key

gpg> quit
Save changes? (y/N) y
user@heads-tests-deb12:/tmp/q42sig$ gpg --home /tmp/q42sig/ --export --armor > ~/heads/initrd/etc/distro/keys/qubes-4.2.key
gpg: WARNING: unsafe permissions on homedir '/tmp/q42sig'
user@heads-tests-deb12:/tmp/q42sig$ cd ~/heads/initrd/etc/distro/keys/
user@heads-tests-deb12:~/heads/initrd/etc/distro/keys$ cat qubes-4.2.key
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGM8PrkBEADVWKMPcCF/azZEX8TpvAsxVnqC6gocLedVkqyVHp17u/hcKveG
DrmkTZiCBw8WDKqrJug0jVA4w2VmS2aSRZJhFAkHDHeaH2pAAWKWgvP/m8ta0Zc7
2TPRncx1+5MhINY76nb4dj1JTU5tHT/pT9wc8c15xvlAgYP+qYPwNjgWwfm5e7JN
+cbFEwhl56ddMFJorA2cvmpxc7aR9znw56LFIHStzYVXYq9saNp7aTR1OF+T2Eqj
T/ANOryA0uPgOCrADbys2/nTtAimgGjE+JbtvX0KGvuHkm7ZMUYVmLXVZlxVOHbI
FTp3msKg+Aes/RbF/seUFp7YjyoPsvRPI/c4oWTl9I9YIjVEatsJJ1mGI6ypl/yN
H9DxbOtmSfAdGOTJul2r/5ktyQyW4Ptf3s1a5ZkdFlqWX78W7aUWv/9SA91gGdEC
KKbUxyVlOtosGJ0ZmRvj3f1locPVRj/wZiKFXkpm/irhQ1i0Rcm+u+EuEr6kE8gK
Ffrs5Mm1EN894LA0U3bHxfiOEFHD5L9w89itiskfM3yhKhp3b/BzyUjNNFQMPZw7
EnLBeYfPUKvABov2l2vHNERf0kAWrJ7Q2xnHCqIIaYuyU9wOr+Tjocj6qz8MMmOd
/1dy33YpqPOFewzIEpUfAY7Van1F1wZMdE7jheRkgyygyhu/M4aeXObPIwARAQAB
tCBRdWJlcyBPUyBSZWxlYXNlIDQuMiBTaWduaW5nIEtleYkCUQQTAQgAOxYhBJyI
TfP4EGSlaaSp+uAi5Y+ONNifBQJjPD65AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMB
Ah4HAheAAAoJEOAi5Y+ONNifIdMQAImcs0f39sr3ZPcKEI33mBLqZYj62TiYz96B
0Q/QBlU5kcv4WnBb6KqNJV8e+0JZ4sC2LeGCkDs7z4M2+PC8MKTWEWaydGLn2ofQ
jG3s5PYk7bwkg/G6m7hksRxrdNq38wX36Fm2AGjk6777wbJ/EFgD7/E9q9MhuXHh
wrMuUhakEklpwir79EfSCv9vLW/54nT44CQzg58Z1j9i1FsunC0BIyVb29oVKfYU
RY/KpfOyQ8pDI095Zcle0JpqIMOqER4gj9IC+KH7Em0YhmRpzC2OhX3YlAGSrrLL
aToBF8gvNGz9vb1Al6fJ0SSv9HP8/o7XOfHRLud9ZynzCXaWkwENDNU7qI1NabsJ
Leigz21VAvheAxJsCXEQKRnkWGti9sCf11VUNMIrKr92ptrnishIuBtOY1HcxQlo
8oEA5qLLpt3RHb8cJgGcuYTlG1IsCo7OAoLpJOXdVPTwPGIHqRM6Mo4TVZhWlywX
5ApK8/IePtyqBERAUXNSpg9IPMx1400FVerAuDo2X9AsyuLti5fLHYrQwq1XQ5IQ
c3dEh4+I3aOMK8jOl0JnTXbv4YyC8P07QDHhfmjL+/+vStgZqeE0o6Qg9pXyzzII
wFCUxrMg3v5/nh+gT5CYWVWHu2iOolD8eGQlek1ZFFKt+TycwWFcJ71lcZl71LK7
RUA3lc/5
=3ZMQ
-----END PGP PUBLIC KEY BLOCK-----

…bes-4.2.key

tlaurion · 2023-10-18T17:50:30Z

Tested and boots https://ftp.qubes-os.org/iso/Qubes-R4.2.0-rc4-x86_64.iso verified against detached signature https://ftp.qubes-os.org/iso/Qubes-R4.2.0-rc4-x86_64.iso.asc

Proof

TODO:

Change iso fixated path search on external media /*.iso to a find so that torrent downloaded directly into external media could be found and verified by heads.

qubes release signing keys: move qubes-4.key to qubes-4.1.key, add qu…

576e2a8

…bes-4.2.key

tlaurion mentioned this pull request Oct 18, 2023

Have ISOs being searched in whole external media instead of / only #1513

Open

tlaurion merged commit 9e55e08 into linuxboot:master Oct 18, 2023
1 check passed

tlaurion mentioned this pull request Sep 3, 2024

Another time drift issue impacting key import at key-init #1775

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

qubes release signing keys: move qubes-4.key to qubes-4.1.key, add qubes-4.2.key #1512

qubes release signing keys: move qubes-4.key to qubes-4.1.key, add qubes-4.2.key #1512

tlaurion commented Oct 18, 2023

tlaurion commented Oct 18, 2023 •

edited

Loading

qubes release signing keys: move qubes-4.key to qubes-4.1.key, add qubes-4.2.key #1512

qubes release signing keys: move qubes-4.key to qubes-4.1.key, add qubes-4.2.key #1512

Conversation

tlaurion commented Oct 18, 2023

tlaurion commented Oct 18, 2023 • edited Loading

tlaurion commented Oct 18, 2023 •

edited

Loading