I recently upgraded to Qubes 4.2 from 4.1. As part of the upgrades I backed up my customized template qubes and app qubes and then restored them to the new install. Following the update instruction on the qubes documentation page, I changed the sources.list and qubes-r4.list files. I can successfully upgrade to bookworm. However checking the qubes-r4.list file I realized that I have upgraded using the 4.1 repository. I edited the qubes-r4.list file to point at the 4.2 repository but an apt update triggers the following errors:
W: GPG error: Index of /r4.2/vm/ bookworm InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 5BB71C441BCB10FE
E: The repository ‘Index of /r4.2/vm/ bookworm InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
N: Repository ‘Debian bookworm’ changed its ‘non-free component’ value from ‘non-free’ to ‘non-free non-free-firmware’
N: More information about this can be found online in the Release notes at: Chapter 5. Issues to be aware of for bookworm
Looking at the /etc/apt/trusted.gpg.d directory I see that the following keys are present:
I determined that pubkey 5BB71C441BCB10FE was the qubes os 4.2 debian packages signing key by invoking ‘sudo gpg -k “Debian”’ in a genuine 4.2 qube.
I then created a armored key file by invoking “sudo gpg --export -a -o qubes-os-4.2-debian-packages-signing-key.asc Qubes OS 4.2 Debian Packages Signing Key”
I then copied qubes-os-4.2-debian-packages-signing-key.asc to the /etc/apt/trusted.gpg.d in the template I was trying to upgrade.
This removed the not signed error. However when I tried to sudo apt upgrade I get a new error:
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
xen-utils-guest : Conflicts: xen-hypervisor-common but 4.17.2+76-ge1f9cb16e2-1~deb12u1 is to be installed
E: Broken packages
Oh I didn’t realize there were scripts! Reading through them I see they change the qubes-r4.list to the correct version number and have a work around for the signing issue. I also see that they update using the --no-install-recommends switch and do some trickery with /usr/sbin/policy-rc.d. In addition, the scripts use apt-get to upgrade. I thought apt-get was deprecated in debian? I would have probably never figured out these nuances in a reasonable amount of time. Thanks for the heads up. These scripts should be mentioned in the template upgrade documentation.