On Sun, Aug 18, 2019 at 12:30:10PM -0700, FenderBender wrote:
> I created a t-multimedia template and successfully installed spotify.
> However, I was unable to find a working gpg command to "cat" the
> spotify.pubkey. (The quebes webpage directs to a stackexchange discussion
> which advises a variety of commands, none of which seemed to work on my
> Qubes 4.x t-multimedia template.)
>
Debian-10:
gpg --show-keys spotify.pubkey
Debian-9:
gpg --with-fingerprint spotify.pubkey
In both cases, just 'gpg spotify.pubkey' will do
> Nevertheless, the install proceded. My question is whether it is unsafe due
> to being unauthenticated, and also whether, by running "spotify" from the
> template terminal, rather than an AppVm, as root, I unecessarily and
> perhaps seriously compromised the integrity of the template.
Yes it is unsafe.
If you use an unverified key in apt, then you trust the repository
without knowing who is putting files in there.
That's a recipe for disaster.
>
> When I got to this command: Install Spotify apt-get install -y
> spotify-client
>
>
> it returned a warning to the effect that it
>
> 'failed to authenticate'
>
> So I ran it with "--overide authentication" which allowed me to complete
> the install.
>
> However,
>
> the terminal returned WARNING!THE FOLLOWING PACKAGES COULD NOT BE
> AUTHENTICATD: spotify-client
>
> This is probably caused becuase I was unable to successfully run any kind
> of gpg cat command on spotify.keyfile
>
> I plan to install chrome and opera in this or a similar template.
>
> Is this playing with fire or is this warning something that can be
> overlooked?
Fire indeed.
Once you have checked the fingerprint of the key, (against a number of
different sources), use "apt-key add" to include it in the keys that apt
trusts.
Dont install packages that are not authenticated.
unman