What gpg cat command works on Qubes 4.x?
16 views
Skip to first unread message
FenderBender
Aug 18, 2019, 3:30:10 PM8/18/19
to qubes-users
I created a t-multimedia template and successfully installed spotify. However, I was unable to find a working gpg command to "cat" the spotify.pubkey. (The quebes webpage directs to a stackexchange discussion which advises a variety of commands, none of which seemed to work on my Qubes 4.x t-multimedia template.)
Nevertheless, the install proceded. My question is whether it is unsafe due to being unauthenticated, and also whether, by running "spotify" from the template terminal, rather than an AppVm, as root, I unecessarily and perhaps seriously compromised the integrity of the template.
When I got to this command: Install Spotify
apt-get install -y spotify-client
it returned a warning to the effect that it
'failed to authenticate'
So I ran it with "--overide authentication" which allowed me to complete the install.
However,
the terminal returned WARNING!THE FOLLOWING PACKAGES COULD NOT BE AUTHENTICATD: spotify-clientThis is probably caused becuase I was unable to successfully run any kind of gpg cat command on spotify.keyfile
I plan to install chrome and opera in this or a similar template.
Is this playing with fire or is this warning something that can be overlooked?
American Qubist 001
Aug 18, 2019, 4:58:48 PM8/18/19
to qubes-users
On Sunday, August 18, 2019 at 12:30:10 PM UTC-7, threeletteragency wrote:
I created a t-multimedia template and successfully installed spotify. However, I was unable to find a working gpg command to "cat" the spotify.pubkey. (The quebes webpage directs to a stackexchange discussion which advises a variety of commands, none of which seemed to work on my Qubes 4.x t-multimedia template.)
The Qubes instruction page https://www.qubes-os.org/doc/multimedia/ indicates that the gpg command may be outdated and directs to this stack exchange discusision thread https://unix.stackexchange.com/questions/391344/gnupg-command-to-show-key-info-from-file
Apparently, this thread is asking the same question as OK is now asking, except that OK is trying to verify the signature for his Qubes .pubkey.
Maybe someone should file an issue/reuest in Qubes documentationhttps://www.qubes-os.org/doc/reporting-bugs/
and get this cleared up, as the same question is popping up simultaneously from two unrealted users. There is a very specific etiquette regarding bug reports and docuemntation changes, which are two different things, but both require to read first, then write. (Like listen, then speak, something I often have to remind myself in life. )
unman
Aug 19, 2019, 12:01:26 PM8/19/19
to qubes-users
On Sun, Aug 18, 2019 at 12:30:10PM -0700, FenderBender wrote:
> I created a t-multimedia template and successfully installed spotify.
> However, I was unable to find a working gpg command to "cat" the
> spotify.pubkey. (The quebes webpage directs to a stackexchange discussion
> which advises a variety of commands, none of which seemed to work on my
> Qubes 4.x t-multimedia template.)
>
Debian-10:
> I created a t-multimedia template and successfully installed spotify.
> However, I was unable to find a working gpg command to "cat" the
> spotify.pubkey. (The quebes webpage directs to a stackexchange discussion
> which advises a variety of commands, none of which seemed to work on my
> Qubes 4.x t-multimedia template.)
>
gpg --show-keys spotify.pubkey
Debian-9:
gpg --with-fingerprint spotify.pubkey
In both cases, just 'gpg spotify.pubkey' will do
> Nevertheless, the install proceded. My question is whether it is unsafe due
> to being unauthenticated, and also whether, by running "spotify" from the
> template terminal, rather than an AppVm, as root, I unecessarily and
> perhaps seriously compromised the integrity of the template.
If you use an unverified key in apt, then you trust the repository
without knowing who is putting files in there.
That's a recipe for disaster.
>
> When I got to this command: Install Spotify apt-get install -y
> spotify-client
>
>
> it returned a warning to the effect that it
>
> 'failed to authenticate'
>
> So I ran it with "--overide authentication" which allowed me to complete
> the install.
>
> However,
>
> the terminal returned WARNING!THE FOLLOWING PACKAGES COULD NOT BE
> AUTHENTICATD: spotify-client
>
> This is probably caused becuase I was unable to successfully run any kind
> of gpg cat command on spotify.keyfile
>
> I plan to install chrome and opera in this or a similar template.
>
> Is this playing with fire or is this warning something that can be
> overlooked?
Once you have checked the fingerprint of the key, (against a number of
different sources), use "apt-key add" to include it in the keys that apt
trusts.
Dont install packages that are not authenticated.
unman
Reply all
Reply to author
Forward
0 new messages