0
i just tried to verify my Qubes Master Signing Key with this description:
I used this download:
gpg2 --keyserver pool.sks-keyservers.net --recv-keys 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
Then i tried to verify the public key and fingerprint:
gpg2 --edit-key 0x36879494
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
gpg> fpr
pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
At the Qubes site, (and at other websites, the Pub Name is different to mine, but the key fingerprint is the same as you can see here:
pub 4096R/36879494 2010-04-01 Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 uid Qubes Master Signing Key
Am i right, that i cannot trust the downloaded Master signing key?! (pub rsa4096/DDFA1A3E36879494 & 4096R/36879494**are different, but the Fingerprint output is the same...)*
Thank you all for your help!