All files are signed with my Qubes OS Signing key.
You'll need to get this from a keyserver, or two, to make sure all is fine:
pub 4096R/C8C0C2EF 2016-06-25
Key fingerprint = 4B1F 400D F256 51B5 3C41 41B3 8B3F 30F9 C8C0 C2EF
uid unman (Qubes OS signing key)
sub 4096R/4731B36C 2016-06-27 [expires: 2022-06-30]
You can also check the Qubes users mailing list or look on github.
Once you have copies of the key, check the fingerprint:
gpg -n --import --import-options import-show
replacing "" with the path to the key you saved.
Once you are satisfied that you have a genuine key, you can use it to validate the packages.
To use a Ubuntu repository, copy the validated key to a Ubuntu Template, and install it using apt-key.
sudo apt-key add unman.pub
replacing "unman.pub" with the path to the key.
Then add a line like this to /etc/apt/sources.list:
deb https://qubes.3isec.org/4.0 focal main
deb https://qubes.3isec.org/4.0 bionic main
To use the Arch repository you will need to get my Qubes OS signing key, validate it
against sources in this mailing list, or at GitHub, or against different
downloads via Tor.
qvm-copy the key in to the arch template.
Add the key:
sudo pacman-key --add
sudo pacman-key --lsign unman
Then either create a new file, or rename the existing
Open the conf file for editing - the contents should be:
Server = https://qubes.3isec.org/arch/4.0
sudo pacman -Syuu
For 4.1, follow the above process, changing 4.0 to 4.1 throughout.