On 3/1/26 1:39 PM, 'nulled_null_1' via qubes-users wrote: > yesterday I was looking trough the qubes-secpack and I was building a > template with qubes builder and went to get Marek's key from qubes-secpack to > verify the signatures of qubes-builderv2 so i imported the key from > qubes-secpack/keys/core-devs/marmarek-qubescode-signing-keys.asc (I checked > the repo and it does say last updated 5 years ago) and I imported that one > and qubes builderv2 was signed correctly but when i went to check the last > commit and it was signed by a different key than that one: > gpg: Signature made Wed 04 Feb 2026 10:53:54 AM EST > gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A > gpg: Can't check signature: No public key > Merge: 10a66c1 84b6f62 > Author: Marek Marczykowski-Górecki <[email protected]> > Date: Wed Feb 4 16:53:53 2026 +0100 > > Merge remote-tracking branch 'github/pr/96' > > * github/pr/96: > extend doc-signing key > this is output when i checked last commit to qubes-builderv2 (i used git log > --show-signature for both ) > gpg: Signature made Sun 22 Feb 2026 10:35:11 PM EST > gpg: using RSA key 0064428F455451B3EBE78A7F063938BA42CFA724 > gpg: Good signature from "Marek Marczykowski-Górecki (Qubes OS signing key) > <[email protected]>" [full] > Author: Marek Marczykowski-Górecki <[email protected]> > Date: Mon Feb 23 04:34:31 2026 +0100 > > configs: switch stable kernel branch to 6.18 > > Do it in all three configs: 4.2, 4.3, main > > QubesOS/qubes-issues#10713 > > have I done something seriously wrong or what is going on? this Is very > concerning, can someone try to replicate this to make sure I'm not crazy? >
Marek signs the secpack with his Qubes security pack key (2D1771FE4D767EDC76B089FAD655A4F21830E06A), not his general code signing key (0064428F455451B3EBE78A7F063938BA42CFA724). This is normal and expected. Simon does the same. You can find the security team secpack keys in /keys/security-team/ in the secpack: https://github.com/QubesOS/qubes-secpack/tree/main/keys/security-team In short, there's nothing wrong with the qubes-secpack or Marek's latest signature on it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/qubes-users/48361e12-84f2-4147-ac6b-d9e19bd32f7d%40qubes-os.org.
OpenPGP_signature.asc
Description: OpenPGP digital signature
