Follow the steps described here:
https://qubes.3isec.org/tasks.html
You can download the keys in AppVM and copy them to dom0.
Trying it out
To test the water, we are making available a test repository, and a simple tool to access it.
The repository definition is:[3isec-dom0-current] name = 3isec Qubes Dom0 Repository (updates) baseurl = https://qubes.3isec.org/rpm/r$releasever/current/dom0/fc32 skip_if_unavailable=False enabled = 1 metadata_expire = 6h gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-unman
Create a file in dom0 with this content at /etc/yum.repos.d/3isec-dom0.repo
All packages are signed with my Qubes OS Signing key.
You’ll need to get this from a keyserver, or two, to make sure all is fine:
keyserver.ubuntu.com or pgp.mit.eduYou can also check the Qubes users mailing list or look on github.
Once you have copies of the key, check the fingerprint:
gpg -n --import --import-options import-show unman.pub
replacing unman.pub with the path to the key.
The output should look similar to this:pub rsa4096 2016-06-25 [SC] 4B1F 400D F256 51B5 3C41 41B3 8B3F 30F9 C8C0 C2EF uid [ unknown] unman (Qubes OS signing key) sub rsa4096 2016-06-27 [S] [expires: 2024-06-30] sub rsa4096 2016-06-25 [E]
In particular, check that the output from your command contains the fingerprint 4B1F 400D F256 51B5 3C41 41B3 8B3F 30F9 C8C0 C2EF
When you are happy, copy the key in to dom0:
qvm-run -p QUBE_WHERE_YOU_DOWNLOADED_KEY ‘cat PATH_TO_KEY’ > RPM-GPG-KEY-unman sudo mv RPM-GPG-KEY-unman /etc/pki/rpm-gpg/
Add the key to the rpm keyring:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-unman