For the Qubes ISO there are GPG signatures that can be verified. The default templates must be therefore trusted upon installation.
After that, the system is updated. There will be updates from both Debian and Qubes. The user may also install software from Qubes or Debian repositories (let’s ignore third parties).
Is there a way to recheck the signatures for all distribution and Debian software, in all templates and persistent VMs?
I get that, all the user has to do is to verify the initial signatures. Optionally, the user may also verify the Qubes master that is in the template and dom0. After that, the template and dom0 will take care of signature verification automatically. But this may not be true in a compromise system. I want to manually check and see that the binaries (or source code from which these binaries are produced) are signed by a key that is signed by the master key. I hope this doesn’t get me to reproducible builds, which is incomplete!
I do not understand what you are trying to do. Are you talking about a compromised Template VM or dom0? In the latter case, it’s game over™ and no verification will help you. However, a system restore might [1]. In the former case, checking signatures in a compromised VM can return you any result, depending on what your attacker wants, i.e., it’s meaningless. If you suspect a compromise, recreate the VM, or follow the same guide [1].
The software could be verified mounting the disk that holds the Qube’s installation from a live OS running in a USB drive.
If dom0 is not compromised, but somewhere else such as a template is, this case could be verified: dom0 can verify the integrity of the software in the Qubes installation.
Finally, even with dom0 compromise, the attacker may not tamper with signatures in some period of time, for various reasons (leaving the platform with the data that they want etc).