Is my QUBES-OS master signing key right or wrong?

0

i just tried to verify my Qubes Master Signing Key with this description:

https://www.qubes-os.org/security/verifying-signatures/#1-get-the-qubes-master-signing-key-and-verify-its-authenticity

I used this download:

gpg2 --keyserver pool.sks-keyservers.net --recv-keys 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494

Then i tried to verify the public key and fingerprint:

gpg2 --edit-key 0x36879494

gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

pub rsa4096/DDFA1A3E36879494 created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown [ unknown] (1). Qubes Master Signing Key

gpg> fpr

pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494

At the Qubes site, (and at other websites, the Pub Name is different to mine, but the key fingerprint is the same as you can see here:

pub 4096R/36879494 2010-04-01 Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 uid Qubes Master Signing Key

Am i right, that i cannot trust the downloaded Master signing key?! (pub rsa4096/DDFA1A3E36879494 & 4096R/36879494**are different, but the Fingerprint output is the same...)*

Thank you all for your help!

Stephan

Posted 2019-11-19T17:56:28.303

Reputation: 1

Answers

0

pub rsa4096/DDFA1A3E36879494 & 4096R/36879494**are different

Not really they're not. This is not a "pub name" of any kind – it describes the key's parameters. (The actual name is "Qubes Master Signing Key".)

  • rsa4096 and 4096R both mean the same thing – 4096-bit RSA key.

  • DDFA1A3E36879494 and 36879494 both are the "key IDs" which are the last 16 and 8 digits of the fingerprint (also called "long" and "short" key ID).

Older GnuPG versions used 8-digit key IDs, however, it is very easy to generate keys with colliding key IDs, and there are many accidental collisions known already. Switching to longer (16-digit) key IDs somewhat alleviates the problem. The latest GnuPG releases do not use keyids at all – they show just the whole 40-digit fingerprint.

In older versions the only possible key types were RSA, DSA, and ElGamal (all of which had very similar key size ranges), marked R, D, E respectively. Recently several other key types were added, such as ECDSA and EdDSA which no longer fit into this pattern due to using curve names rather than bit-lengths and the old scheme could only create confusion. (For example, does "E" now mean "ElGamal" or "ECDSA-P521" or "Ed25519"?)

user1686

Posted 2019-11-19T17:56:28.303

Reputation: 283 655

Asked: 2019-11-19T17:56:28.303

Viewed: 80 times

Active: 2019-11-19T20:32:27.090