yesterday I was looking trough the qubes-secpack and I was building a template with qubes builder and went to get Marek’s key from qubes-secpack to verify the signatures of qubes-builderv2 so i imported the key from qubes-secpack/keys/core-devs/marmarek-qubescode-signing-keys.asc (I checked the repo and it does say last updated 5 years ago) and I imported that one and qubes builderv2 was signed correctly but when i went to check the last commit and it was signed by a different key than that one:
gpg: Signature made Wed 04 Feb 2026 10:53:54 AM EST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Can’t check signature: No public key
Merge: 10a66c1 84b6f62
Author: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Marek signs the secpack with his Qubes security pack key (2D1771FE4D767EDC76B089FAD655A4F21830E06A), not his general code signing key (0064428F455451B3EBE78A7F063938BA42CFA724). This is normal and expected. Simon does the same. You can find the security team secpack keys in /keys/security-team/ in the secpack:
In short, there's nothing wrong with the qubes-secpack or Marek's latest signature on it.
By the way, these Qubes security pack keys are signed by the Qubes master signing key (QMSK), so you don't have to authenticate them independently. The procedure to authenticate the qubes-secpack using the QMSK as the sole root of trust is documented here: