I take it you're referring to the message about SHA1. I'm not certain,
but we do have a related open issue, which the devs are working on now:
https://github.com/QubesOS/qubes-issues/issues/6470
Also see the comments on this issue, which are even more specific to
your question:
https://github.com/QubesOS/qubes-issues/issues/4378
In particular, Marek commented (on #4378):
"In general, it may be a good idea to create new signature using SHA256
or such, to ease the use with weak-digest SHA1 option enabled. But in
practice, in the current state SHA1 problems doesn't affect security of
the key itself, because there are no known pre-image attacks.
New signatures are made with SHA256 hash function."
> If so, why not distribute a new one?
>
It's not that simple. As Marek recently pointed out to me, "The current
QMSK is well known and published in a lot of places (easing its
verification), including various conference videos, physical t-shirts we
sold, some stickers etc. With every new QMSK it will take time until it
will be comparably easy to independently verify."
Having said that, we do have an open issue for generating a new QMSK:
https://github.com/QubesOS/qubes-issues/issues/2818
We likely will at some point, but it's not an action to be taken lightly.
--
Andrew David Wong
Community Manager
The Qubes OS Project
https://www.qubes-os.org