Identifying Latest 4.1 iso & PGP Sigantures Should Be Made Always

considering to test this iso file Qubes OS openQA: qubesos-4.1-install-iso-x86_64-Build20210117-4.1-install_btrfs@64bit test results but there is no pgp signature or digest. it appears this could be more older version of 4.1 test iso that i found here Signed Q4.1 alpha iso - #6 by marmarek and it come with pgp signature and digest. first iso is 20210117 build the second iso is 20201014 build i see from file title name. is this same 4.1 test iso? will both be made to work the same? file size is different. if any person know how to contact developer sushi who made first iso please tell me or if any person can ask sushi to do this because openqa doesnt allow anyones to make account. one other thing- is possible to verify the first iso any possible way? did i miss pgp signature file or digest? thx for help.

As far as I’m aware, the openQA system is an untrusted build environment and so there aren’t going to be signatures or digests for those ISOs. They’re just for (unsupported) testing purposes if you choose to install it.
You should be able to just install marmarek’s older ISO and fully update to get the same result, or of course you could use qubes-builder to get your own ISO :slight_smile:

i am aware it is testing iso but a siganture and digest are minimal to provide for everyone wishing to verify. i think this should be a standard for iso files issued. is there a way you know to contact sushi allowing for them to make the inclusion? i would try but openqa does not allow any persons to make account.

do you know how i could compile the new updates to @marmarek iso? it rather confusing at times to find exactly what is updated about this new iso and what items are nonexistent. especially if project contributing layouts differ between the two projects.

i am still in belief the simplest method is for sushi to provide pgp and digest now and for the future. i would still like a way to make contact with sushi for this. is sushi a verified developer? i have tried to find them on here qubes community but no success. i would be uncaring if i was testing in virtualbox but when it is running on metal i choose to be precautious as everyone should look to be. thx for the help @encryptedgiraffe :slight_smile:

On the Qubes Website it says alpha ISOs found on the openQA system have no support, which I take to mean no signature, since they’d have to use the release 4.1 signing key, which wouldn’t be on an insecure build environment.
I think “sushi” is just the hostname of the environment that did the build, i.e. it’s an automated system, not an actual dev.
If you install marmarek’s ISO, you should just be able to use the Qubes Update tool to get an up-to-date system, the same as if you installed a new build. And that one of course has a signature. I used that ISO about 2 months ago and it worked just fine.

I think there were quite a few updates since then (including both the kernel and Xen), that make the openQA isos boot on some very recent machines. This does not apply to the signed alpha iso from last year, so the easy update path is closed for those systems.

1 Like

For more up to date (though still not officially supported) builds, one
of the main Qubes devs has a signed and much more trusted weekly build
at Index of /qubes/iso/. These were posted on Qubes Devel about
a month ago.

1 Like

See this pinned post (on the #user-support:testing-4-1 category)

1 Like