I’m looking for documentation on how the Qubes project is organized. In particular, who writes each component of the software, who has to sign it, and how the signing keys and the Qubes Master Key (QMK) are protected.
I see on the website the name of the person that handles each template or piece, and a remark in the documentation that the QMK is in an air gapped vault (presumably in a Qube, not a hardware security module).
The standard approach to compromise Qubes users is to hack a developer or a signing key (see the story around the breach of the lastpass password manager). You are then good to go, hacking Qubes users who presumably have something to hide).
Obviously, we have to trust the OS provider (Microsoft, Apple, Google, Qubes). In all cases, a compromised provider could push a malicious update (to all, or more likely a selective set of users). The question is to make this trust more transparent: individuals, periodic verification process, security measures in place to protect the developers, etc.
I see on the website the name of the person that handles each template or piece
As you observed, there’s a brief description on the team page of the general area on which each person. I’m not aware of more specific documentation than that. However, since all of the Qubes code is open-source and development is out in the open, you can go through the Git repos and see who makes each commit if you want to know exact details.
who has to sign it
There is this page:
But it may not cover what you want to know, so I again suggest looking at the Git repos to see who actually signs things in practice.
how the signing keys and the Qubes Master Key (QMK) are protected
a remark in the documentation that the QMK is in an air gapped vault (presumably in a Qube, not a hardware security module).
The QMSK was generated on and is kept only on a dedicated, air-gapped “vault” machine, and the private portion will (hopefully) never leave this isolated machine.
This was written a long time ago, before Joanna handed the QMSK over to @marmarek. I assume it’s still true, but I guess only @marmarek can really answer that.
In that case, you might also be interested in our canary system: