wrong pgp key signed the qubes-secpack?

6 views
Skip to first unread message

nulled_null_1

unread,
Mar 1, 2026, 7:12:45 PM (4 days ago) Mar 1
to qubes...@googlegroups.com
yesterday I was looking trough the qubes-secpack and I was building a template with qubes builder and went to get Marek's key from qubes-secpack to verify the signatures of qubes-builderv2 so i imported the key from qubes-secpack/keys/core-devs/marmarek-qubescode-signing-keys.asc (I checked the repo and it does say last updated 5 years ago) and I imported that one and qubes builderv2 was signed correctly but when i went to check the last commit and it was signed by a different key than that one:
gpg: Signature made Wed 04 Feb 2026 10:53:54 AM EST
gpg:                using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Can't check signature: No public key
Merge: 10a66c1 84b6f62
Author: Marek Marczykowski-Górecki <marm...@invisiblethingslab.com>
Date:   Wed Feb 4 16:53:53 2026 +0100

    Merge remote-tracking branch 'github/pr/96'
   
    * github/pr/96:
      extend doc-signing key
this is output when i checked last commit to qubes-builderv2 (i used git log --show-signature for both )
gpg: Signature made Sun 22 Feb 2026 10:35:11 PM EST
gpg:                using RSA key 0064428F455451B3EBE78A7F063938BA42CFA724
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes OS signing key) <marm...@invisiblethingslab.com>" [full]
Author: Marek Marczykowski-Górecki <marm...@invisiblethingslab.com>
Date:   Mon Feb 23 04:34:31 2026 +0100

    configs: switch stable kernel branch to 6.18
   
    Do it in all three configs: 4.2, 4.3, main
   
    QubesOS/qubes-issues#10713

have I done something seriously wrong or what is going on? this Is very concerning, can someone try to replicate this to make sure I'm not crazy?

Andrew David Wong

unread,
Mar 1, 2026, 7:20:07 PM (4 days ago) Mar 1
to nulled_null_1, qubes...@googlegroups.com
Marek signs the secpack with his Qubes security pack key (2D1771FE4D767EDC76B089FAD655A4F21830E06A), not his general code signing key (0064428F455451B3EBE78A7F063938BA42CFA724). This is normal and expected. Simon does the same. You can find the security team secpack keys in /keys/security-team/ in the secpack:

https://github.com/QubesOS/qubes-secpack/tree/main/keys/security-team

In short, there's nothing wrong with the qubes-secpack or Marek's latest signature on it.
OpenPGP_signature.asc

Andrew David Wong

unread,
Mar 1, 2026, 7:25:25 PM (4 days ago) Mar 1
to nulled_null_1, qubes...@googlegroups.com
By the way, these Qubes security pack keys are signed by the Qubes master signing key (QMSK), so you don't have to authenticate them independently. The procedure to authenticate the qubes-secpack using the QMSK as the sole root of trust is documented here:

https://doc.qubes-os.org/en/latest/project-security/security-pack.html
OpenPGP_signature.asc
Reply all
Reply to author
Forward
0 new messages