From a recent Hacker News discussion:
If Qubes ISP is malicious or compromised they can intercept http connections towards Qubes’ servers. This allows them to trivially obtain a SSL cert for keys.qubes-os.org, etc.
Armed with a valid SSL cert, they MITM traffic. When a target downloads qubes they give them a tampered version, when a target downloads the master key, they give them a lookalike key.
The user can happily verify the tampered qubes with the lookalike key.
PGP proves nothing if you cannot verify that you have an authentic copy of the key.
Qubes gives some handwavy suggestions at how to check the key which do not work.
The first item “Use the PGP Web of Trust.” cannot be done because the key isn’t signed by anyone . The other suggestions are inapplicable or won’t achieve anything if the target’s network is being tampered with.
This is not some newfangled problem. PGP has the ability to sign keys for precisely this reason. The main Qubes developers should have personal PGP keys which they use to sign the master key. Their personal keys should be certified by other FOSS developers that they’ve met (maybe the master key too). Then people who are interested in obtaining high confidence in the key can inspect the chain from their own key to the qubes masterkey.
Obviously not everyone will perform careful validation, but if some do then substituting the key becomes riskier. Unfortunately not only is the key not verifiable at the moment, but the current situation is looks pretty similar to what an ongoing key replacement attack would look like.
I am not knowledgeable enough to answer this, so I am curious what the reasoning behind the Qubes signing procedure is.
Relevant documentation I’ve consulted: