yesterday I was looking trough the qubes-secpack and I was building a template with qubes builder and went to get Marek's key from qubes-secpack to verify the signatures of qubes-builderv2 so i imported the key from qubes-secpack/keys/core-devs/marmarek-qubescode-signing-keys.asc (I checked the repo and it does say last updated 5 years ago) and I imported that one and qubes builderv2 was signed correctly but when i went to check the last commit and it was signed by a different key than that one: gpg: Signature made Wed 04 Feb 2026 10:53:54 AM EST gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A gpg: Can't check signature: No public key Merge: 10a66c1 84b6f62 Author: Marek Marczykowski-Górecki <[email protected]> Date: Wed Feb 4 16:53:53 2026 +0100
Merge remote-tracking branch 'github/pr/96' * github/pr/96: extend doc-signing key this is output when i checked last commit to qubes-builderv2 (i used git log --show-signature for both ) gpg: Signature made Sun 22 Feb 2026 10:35:11 PM EST gpg: using RSA key 0064428F455451B3EBE78A7F063938BA42CFA724 gpg: Good signature from "Marek Marczykowski-Górecki (Qubes OS signing key) <[email protected]>" [full] Author: Marek Marczykowski-Górecki <[email protected]> Date: Mon Feb 23 04:34:31 2026 +0100 configs: switch stable kernel branch to 6.18 Do it in all three configs: 4.2, 4.3, main QubesOS/qubes-issues#10713 have I done something seriously wrong or what is going on? this Is very concerning, can someone try to replicate this to make sure I'm not crazy? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/qubes-users/uzNweDdmTkYYDqM_uK-CqtA2FIvR-bC8D1pBSn5-1fxKEQS1CLJviD6VK6cOVnw2a_1z6F_cdmkBuRrzrK4dJcJG2cxa8PHhHBuDbqtMQdo%3D%40proton.me.
