Missing key when adding Qubes r4.3 VM repository to Debian 13 (Trixie) HVM

lars-qubes · March 9, 2026, 4:11pm

I am trying to make a Debian 13 (Trixie) HVM qrexec-capable by installing the Qubes agent packages. For this purpose I added the Qubes r4.3 VM repository.

However apt update fails because a required signing key cannot be found.

Error message:

Missing key 1B496066C096FE93D4CF0A6E720415900AB8C804

Repository configuration:

deb [arch=amd64 signed-by=/etc/apt/keyrings/qubes-release-4.3-signing-key.gpg] https://deb.qubes-os.org/r4.3/vm trixie main

apt update output:

Sub-process /usr/bin/sqv returned an error code (1), error message is: 
Missing key 1B496066C096FE93D4CF0A6E720415900AB8C804, which is needed to verify signature.

I already checked the official key directory:

https://keys.qubes-os.org/keys/

and also imported the Qubes OS Release 4.3 signing key:

F3FA3F99D6281F7B3A3E5E871C3D9B627F3FADA4

But the missing key reported by apt

1B496066C096FE93D4CF0A6E720415900AB8C804

does not seem to be available there.

Questions:

Which key is used to sign the r4.3/vm repository for Trixie?
Where can this key be obtained?
Is there an updated keyring package that should be used instead?

My goal is simply to install the Qubes agent packages inside a Debian 13 HVM so it can use qrexec and standard Qubes integration.

Any hints would be appreciated.

Thanks.

parulin · March 9, 2026, 4:35pm

This key is for signing the ISOs.

Check the template keys here: GitHub - QubesOS/qubes-secpack: Qubes Security Pack · GitHub

lars-qubes · March 9, 2026, 10:10pm

Ok, got the key. Thanks for leading me to this location.

I checked the signatures of some keys and especially of this specific key and I discovered it is not signed with the QMSK, just self signed. (BTW, most other keys in qubes-secpack are signed with the QMSK.)

pub   rsa4096 2024-04-10 [SC]
      1B496066C096FE93D4CF0A6E720415900AB8C804
uid           [ unknown] Qubes OS 4.3 Debian Packages Signing Key
sig!3        720415900AB8C804 2024-04-10  [self-signature]

So following “mistrust the infrastructure” I don’t feel good using this key for signing the qubes debian repo.

Is the missing QMSK signature intentional or did I overlook something here?

unman · March 9, 2026, 11:13pm

Read this page about the security pack
In particular-

Only some keys in the qubes-secpack are signed by the QMSK. Keys that
are not signed directly by the QMSK are still signed indirectly by virtue
of being included in the qubes-secpack, which is itself signed (via Git
tags and/or commits) by keys that are in turn signed by the QMSK.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

unman · March 9, 2026, 11:34pm

Incidentally, what you’re trying to do will almost certainly not work.
The Qubes packages are not intended to be installed in a vanilla
install.
The best way of achieving your goal is to create a standalone based on a
trixie template, and going on from there. It’s quicker and guaranteed to
work.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

lars-qubes · March 9, 2026, 11:43pm

Thx for this hint! I have to admit I didn’t know this is possible.