installing Signal on Qubes mini-HOWTO

947 views
Skip to first unread message

IX4 Svs

unread,
Aug 14, 2016, 6:22:30 PM8/14/16
to qubes...@googlegroups.com
Just spent a few minutes to figure this out so I thought I'd share.

If you're a Signal user on Android, you can now have Signal inside Qubes. Here's how I did it:

1. Install the Chromium browser in your appvm template - skip if you were already using it. Shut down the template VM.
2. Create a new AppVM called Signal
3. Launch Chromium browser in new VM, go to chrome://extensions/ in the address bar and follow the link to the Chrome app store.
4. In the app store, search for "Signal private messenger" and install the app.
5. The app launches automatically on first install. Follow the prompts to "link" this app with your phone.
6. At this stage Signal should work on your Qubes system.

Let's make Signal a bit more usable by creating a shortcut in our desktop panel that launches Signal directly. (this assumes KDE desktop on Dom0)

7. Create a Chromium shortcut using the Qubes way (Q -> Domain: Signal -> Signal: Add more shortcuts... -> Select "Chromium web browser")
9. Right-click on Chromium icon in panel, select "Icon Settings"
10. Change the "Command" field of the "Application" tab to: qvm-run -a --tray Signal '/usr/lib64/chromium-browser/chromium-browser.sh --profile-directory=Default --app-id=(long string which you'll get from the properties of the desktop shortcut you created in step #7)'
11. Copy the Signal app icon file from the Signal AppVM to Dom0. I used the following command to copy the icon file to Dom0: [user@dom0]$ qvm-run --pass-io Signal 'cat /home/user/.local/share/icons/hicolor/48x48/apps/chrome-(long-appID)-Default.png' > /home/users/signal-icon.png
12. Now you can change your new shortcut's icon from Chrome to Signal, by pointing it to /home/users/signal-icon.png

If anyone has a better way of creating a custom panel shortcut I'd love to hear it.

Cheers,

Alex

Nicklaus McClendon

unread,
Aug 14, 2016, 6:49:26 PM8/14/16
to qubes...@googlegroups.com
This is a really neat idea and guide, thanks for sharing it! It might be
better to work with the way Qubes' handles the shortcuts internally.
That documentation can be found here.
https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1

If you dig through the GetAppMenus RPC, you'll see it (generally put)
draws it source list from desktop files in /usr/share/applications. If
you put a Signal .desktop file in there, you should (I think, untested)
be able to simply use the GetAppMenus RPC.
--
kulinacs <nick...@kulinacs.com>

signature.asc

Andrew David Wong

unread,
Aug 15, 2016, 5:19:46 AM8/15/16
to IX4 Svs, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-08-14 15:22, IX4 Svs wrote:
> Just spent a few minutes to figure this out so I thought I'd share.
>

Thanks, Alex! Would you mind if we added this to the docs at some point?

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXsYknAAoJENtN07w5UDAwg68P/i48OPoy6eAJBbRkMdY+9zn6
Ygr/7WoMp7ZXdl5T7o4Wlyx8fFgDYqZJs22nY+tKf+6l//3YzAp1FAtrbRG8Ju8S
z6A6SowrEuvt3T+XQfkDbYIyKGW7TG7rJmBNMacC+afp2iiMlXrIXLVG7/Pg6icF
ZJg7FSChl3bKWlhQocAUqK/XTgiFnMZcozwiN1uoEBv1Mi7AwUOhqUMuVE54XGKW
atmN3Ix9b/EORTusHvBUzgqqFk52Iz/EsieJIgDNb7aaUxC8gN1qsn0LYpBHStqm
oYKG2LFM6zmQ4APkWY87j8bx2Zn6mHCimabamnCtAItkSgSDif/HcSW2YoTitAhJ
h9BXEpc7U2qT5vxD0folocpevhVfwvTVV6F/inP+ipio5X8WdOt9aT+mDqYafWpN
jYXgFob1SCdoi/kJ3Ct85NIzsj2vCoeaTE/SEX/51dLglySEKGXYFAiRlGcbAUKn
eCTdpu3zZtMu5zmel2pUuE8ZyRqHEjBYfSyZFmga7Zl6bPo/cfjZEjzXpKEUPROk
poU2E+NsqT4/O8Z3c8Da9V5YIyXbf8j7dhkMSMefms1xrPefg8PqhceaM6UKb8HD
OwPOB/mUTI0SmghJQaXR8fYzfgltPQTqQ8aKARUwVzyeBOLjUzNWg3KNyQYHsIJy
+qvMFHRr0uG/wxEmTzx4
=NJTS
-----END PGP SIGNATURE-----

pixel fairy

unread,
Aug 15, 2016, 6:43:18 AM8/15/16
to qubes-users
On Sunday, August 14, 2016 at 3:22:30 PM UTC-7, Alex wrote:
...

> 1. Install the Chromium browser in your appvm template - skip if you were already using it. Shut down the template VM.

I keep wondering how safe chromium browser is. do redhat or debian track updates in time with google-chrome?

IX4 Svs

unread,
Aug 15, 2016, 5:43:26 PM8/15/16
to Andrew David Wong, qubes...@googlegroups.com
On Mon, Aug 15, 2016 at 10:19 AM, Andrew David Wong <a...@qubes-os.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-08-14 15:22, IX4 Svs wrote:
> Just spent a few minutes to figure this out so I thought I'd share.
>

Thanks, Alex! Would you mind if we added this to the docs at some point?


Not at all - especially if you improve my clumsy way of creating the custom shortcut (steps 7-12) and use the proper Qubes way that Nicklaus linked to.

Cheers,

Alex

IX4 Svs

unread,
Aug 15, 2016, 5:55:08 PM8/15/16
to pixel fairy, qubes-users
For this specific use case (Signal), there is currently no other option - Chromium is the only way of getting Signal to work on Qubes. I only use Chromium to host the Signal app and Firefox as my mainstream browser for everything else.

If you're wondering in general how well distributions track the Chromium OSS project, I suspect the answer is "very well", but refer to distro-specific release notes to check for yourself. Note that Google Chrome is the Google-branded "stable" release of the Chromium OSS project, so asking whether distributions track updates "in time with Chrome" doesn't make much sense. See https://en.wikipedia.org/wiki/Chromium_(web_browser) for more.

Ben Wika

unread,
Aug 15, 2016, 7:49:51 PM8/15/16
to qubes-users, pixel...@gmail.com

Is F-Droid's Silence any better than Signal given it can run without Google Play Store?

Torsten Grote

unread,
Aug 17, 2016, 10:32:48 AM8/17/16
to qubes...@googlegroups.com
On 08/15/2016 08:49 PM, Ben Wika wrote:
> Is F-Droid's Silence any better than Signal given it can run without Google Play Store?

The issue is not so much the Google Play Store, but the Google Play
Services. Silence has been forked of Signal and works completely
different now. In contrast to today's Signal, Silence only encrypts SMS
while Signal only sends Signal messages via their server.

Kind Regards,
Torsten

johny...@sigaint.org

unread,
Aug 17, 2016, 11:36:01 AM8/17/16
to Torsten Grote, qubes...@googlegroups.com
On the Signal matter, just some personal paranoia Re: Signal and Google
Play Services:

I've been the subject of some rather intense and ongoing hacking (iPhone,
iPad, Android phone/tablet, PC, MacBook, cable modem connection, you name
it).

On the Android phone, I wiped it several times, and switched to Cyanogen,
but the "weirdness" kept coming back. (Seeing stuff being recorded,
logged, queued to upload etc., when scrutinizing the filesystem with adb.)
The issues often seemed to dance around Google Play Services.

The problem kept coming back, until last time, when I wiped the phone yet
again, but didn't install Google Play Store (and thus no Google Play
Services). Things *appear* to be stable and secure now, with no
logging/recording/uploading weirdness showing up on the filesystem.

I'd like to install and use Signal for obvious reasons, but I honestly
don't trust Google Store/Services enough to take the risk.

(I have a psycho ex with some crooked cop buddies, so I half suspect some
law enforcement/government hook might be present in Google Play Services.
Speculation of course. But I'll personally stay clear for now. I'm not
doing anything illegal, but with crooked cops it really doesn't matter
much. :) )

I did get a copy of Signal from apkmirror, but I expect it might not work
without Play Services, and I'm not sure it'd be smart to implicitly trust
apkmirror, either. So I'll keep my SmartPhone as a DumbPhone for now.

I was kind of excited to hear about Signal for Chromium, but disappointed
to find it relied upon you also having it installed on your smartphone.

Aaaaaand then there's this:
http://arstechnica.com/security/2015/06/not-ok-google-chromium-voice-extension-pulled-after-spying-concerns/

Not cool, Google.

Cheers. :)
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/b6d870f0-3405-9cc3-1216-0c1048cb9a8b%40grobox.de.
> For more options, visit https://groups.google.com/d/optout.
>


Chris Laprise

unread,
Aug 17, 2016, 12:09:02 PM8/17/16
to qubes...@googlegroups.com
I have to say I don't understand the logic of tying an app like Signal
to Google, meaning the user is attached to Google at the hip. Especially
when an app like Ring.cx operates without a browser or even a server,
which seems far less risky.

Chris

RSS

unread,
Aug 19, 2016, 1:37:06 PM8/19/16
to qubes-users

> Is F-Droid's Silence any better than Signal given it can run without
> Google Play Store?

I use CyanogenMod Android minus most of the Google malware (ie. no
Google play). In that configuration Signal refuses to work because it
(at least) depends on Google Play for notifications. Silence however
does not, and works great. On Android, with a sim card.

However, it is my (not deeply researched!!) understanding that the
Signal dev(s) do not like/permit other applications connecting to their
servers. No servers, no direct messages, all Silence messages are
necessarily SMS messages going over the phone network. So Silence will
not work outside of a phone with a working sim card.

Gaijin

unread,
Aug 19, 2016, 8:07:17 PM8/19/16
to qubes...@googlegroups.com
But Google just announced their end of support for Chrome apps on
Windows, Mac, and Linux in early 2018.
https://blog.chromium.org/2016/08/from-chrome-apps-to-web.html
Won't that kill the Signal app?

grzegorz....@gmail.com

unread,
Aug 21, 2016, 7:33:24 AM8/21/16
to qubes-users, gai...@riseup.net
We'll probably have to repeat the same steps in a Chrome OS VM.

pixel fairy

unread,
Aug 21, 2016, 2:32:34 PM8/21/16
to qubes-users, gai...@riseup.net, grzegorz....@gmail.com

> We'll probably have to repeat the same steps in a Chrome OS VM.

where would you get one? you mean chromiumos?

grzegorz....@gmail.com

unread,
Aug 21, 2016, 2:44:08 PM8/21/16
to qubes-users, gai...@riseup.net, grzegorz....@gmail.com
W dniu niedziela, 21 sierpnia 2016 20:32:34 UTC+2 użytkownik pixel fairy napisał:
> > We'll probably have to repeat the same steps in a Chrome OS VM.
>
> where would you get one? you mean chromiumos?

i meant this:
http://getchrome.eu/download.php

pixel fairy

unread,
Aug 21, 2016, 4:04:01 PM8/21/16
to qubes-users, gai...@riseup.net, grzegorz....@gmail.com
thats just chromium on cinnamon desktop. there are builds you can download for chromiumos, and a couple vagrant files to build it for you. if signal really depends on the play store this may or may not work.

the code could be forked and ported to electron, but it would still be up to whispersystems if they want to support that.

Andrew David Wong

unread,
Aug 24, 2016, 6:10:34 PM8/24/16
to IX4 Svs, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Added:

https://www.qubes-os.org/doc/signal/

Thanks!

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXvhtNAAoJENtN07w5UDAwxLgP/19yfsizmDa5aJGXU7I3J+2C
uioZbQzJDoEm3P/m92keEL/36ffLOnl/f8uIibJyIgYtBBuMomZ42nDocKpq+Rv9
JXlxKCO2FY/OjkdmWWAbefzDXHEg9UnuVWZZau31kovegiNeJ0sWr6pttjCxsE4o
aGtC0+W6Rn2s8H/okyPdg0jhev8l/UISMuJzeynTznJqI8dj4/Pelwq5mCmWaol7
kIXghTxJDVYYu14uvVYKJiek8OsaEEM99UnMd6dellWI5l18UZDStiQW6CWWKUlz
MadrbzM654HUxJ3yuNx5hlBFMbhBEa+Z/KjLz1/FHFs7mo6KprPcEkLr3f/Hec2C
GPqZqPFxPyyOIqM7pXn7s9GGpFJWB25NcL90ub5K0RcNvon2VH99D0LJ7IZz4pV0
tDDAD6X4K1JgNHpXgByByiqd4AxKNTKRoPCjKDCOO8YZkaVNRoxXeZMdjgH9/G7N
XTqPiiblV5T4SEeDsxlnrUv10W88+kYM8vumm5lnnvgbcmqKJtMBn63sgg9J4cly
HkqUuyuZXHjhZQYwYpNUyyh5P6nDYo35lyTfiNcXz9trE3BQiqKE0wUCdfqdSLk7
KOYrTe7jYYizFD6DTQLSM7ZPBYdVmjlbMK8Xu7LIAQCI1l7gDc93DYcBUlmoSPcZ
eivEvkXWw46L4MZNAvj3
=djis
-----END PGP SIGNATURE-----

pixel fairy

unread,
Aug 24, 2016, 6:43:13 PM8/24/16
to qubes-users, ix4...@gmail.com
On Wednesday, August 24, 2016 at 3:10:34 PM UTC-7, Andrew David Wong wrote:

> Added:
>
> https://www.qubes-os.org/doc/signal/
>
> Thanks!

just to clarify, this method will soon stop working because chrome apps are being killed, only chromeos (and probably chromiumos) will be able to run it.

there isn't yet a viable qubes-os chrome desktop. cr os linux, linked above, is not chrome os, its just the chrome browser on the cinnamon desktop. so, unless its hacked to run chromeos apps, that wont work either.

it is possible to build your own, or download an unofficial build of chromeos.

whispersystems might make another desktop app that does not depend on chrome. or someone can take the source and make one.

pixel fairy

unread,
Aug 28, 2016, 8:16:03 PM8/28/16
to qubes-users, ix4...@gmail.com
On Wednesday, August 24, 2016 at 3:43:13 PM UTC-7, pixel fairy wrote:

> just to clarify, this method will soon stop working because chrome apps are being killed, only chromeos (and probably chromiumos) will be able to run it.

this might fix that. https://github.com/koush/electron-chrome


IX4 Svs

unread,
Aug 31, 2016, 6:50:06 PM8/31/16
to Andrew David Wong, qubes...@googlegroups.com
On Wed, Aug 24, 2016 at 11:10 PM, Andrew David Wong <a...@qubes-os.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-08-15 14:43, IX4 Svs wrote:
> On Mon, Aug 15, 2016 at 10:19 AM, Andrew David Wong <a...@qubes-os.org>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>>
>> On 2016-08-14 15:22, IX4 Svs wrote:
>>> Just spent a few minutes to figure this out so I thought I'd share.
>>>
>>
>> Thanks, Alex! Would you mind if we added this to the docs at some point?
>>
>>
> Not at all - especially if you improve my clumsy way of creating the custom
> shortcut (steps 7-12) and use the proper Qubes way that Nicklaus linked
> to.
>
> Cheers,
>
> Alex
>

Added:

https://www.qubes-os.org/doc/signal/


Andrew, thanks for adding this to the documentation.

I'm afraid my DIY shortcut kludge does not survive some(potentially boot time) script and is wiped away from the taskbar, only to be replaced by a default "Chrome browser" shortcut. I admit I don't quite comprehend what the actual implementation of https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1 should be. A worked example that replaces all but the first step of the " Creating a Shortcut in KDE" section of https://www.qubes-os.org/doc/signal/ would be very much welcome.

Cheers,

Alex

Andrew David Wong

unread,
Aug 31, 2016, 9:21:11 PM8/31/16
to IX4 Svs, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Neither do I. I've always make my custom shortcuts the same general way you do.

> A worked example that replaces all but the first step of the " Creating a
> Shortcut in KDE" section of https://www.qubes-os.org/doc/signal/ would be
> very much welcome.
>

Agreed.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXx4J9AAoJENtN07w5UDAw1J8P/0PUipLZrTwzQheBpmhbf5Dv
M0womOAbxLi+obMXQJtIVwQpWEkGEoPT41xfRwYwTeZqgCIMX3RHaRk2KPjDPbiC
tyY/F9FF+5DWV8cuqFAir4uFmBUdaH4orbWQLf+Qai5RbumEonx0ZuwrzH/xQE9r
nE8o+mAYUZnQP9TGUCmKkzm/+Wc2yPDvcWgqwbaVOpz5SHlhNAMVYXMy/9hQ7M+V
6eDlbvgLAe4E78aZ1WIuizGaQlH0pYdsIuZ1mPDT7KGf1p/2tOpRCpsrXF5a1+z5
QdDa88mMZR8MqNJUlbPqSgWPrWq1mAv9KFPF61myb3ZkAVFZQs7BkFclJXP1lJtq
ptfXB7fEVko2eAgmECITmghezk6z7iAkkSTuxmoENQ1Gq1duz/vceRAl5sUsqfN9
LXA2myp3uC7ZjoWhmdzYheEg8nOqQACPn5/J04XBbnPl49uv0T3ITrc9gkPGy380
f67DC+QTwuZkNQSDbt/TUwWJu25Z1TFs6TRKRnc9icuS5qoOKxtNSpVTbIjcApKW
ixEts+Vhu1FguarFW7vsMvwvD2q+RYEf3BYrlCFqChJQDlEdzgibRwkYyz9TTVG0
9D89RvpGiOFJWQ6rwIgNA9Q1IPY2xY0TkiLv5yNPWGOHohJK4mbC/dGhZqNXcgDr
CFeVikKS+OHd78PFVmYj
=x3qa
-----END PGP SIGNATURE-----

IX4 Svs

unread,
Sep 1, 2016, 3:41:04 AM9/1/16
to Andrew David Wong, qubes...@googlegroups.com
Ah, we have a usability issue here then.
 
> A worked example that replaces all but the first step of the " Creating a
> Shortcut in KDE" section of https://www.qubes-os.org/doc/signal/ would be
> very much welcome.
>

Agreed.

Can someone who has figured out how to create one-click buttons to launch arbitrary applications in AppVMs chime in with an example please? I'll then test it and Andrew can stick it in the wiki for all Qubes users to benefit.

Thanks,

Alex

IX4 Svs

unread,
Sep 7, 2016, 6:38:56 PM9/7/16
to Andrew David Wong, qubes...@googlegroups.com
I had a look myself and may have figured out the "proper" way of creating a shortcut to launch Signal. By the way I submitted a pull request for the documentation at https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1 because its language is slightly inaccurate.

These instructions (after verification) should replace the shortcut kludge of the signal page you created:

My Signal AppVM uses the fedora-23 template, and I have renamed the .desktop file that Chrome created on that AppVM's desktop to signal.desktop. Now what?

1. Open a dom0 terminal, cd to /var/lib/qubes/vm-templates/fedora-23/
2. Copy Signal:/home/user/Desktop/signal.desktop to dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/signal.desktop
3. Lightly edit dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/signal.desktop to be as follows:

[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
X-Qubes-VmName=%VMNAME%
Icon=%VMDIR%/apps.icons/signal.png
Name=%VMNAME%: Signal Private Messenger
GenericName=%VMNAME%: Signal
Comment=Private Instant Messenger
Exec=qvm-run -q --tray -a %VMNAME% -- 'qubes-desktop-run /home/user/Desktop/Signal.desktop'

4. Copy Signal:/rw/home/user/.local/share/icons/hicolor/48x48/apps/chrome-<long_string>-Default.png
 to dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/apps.icons/signal.png

5. Copy dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/apps.icons/signal.png to dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/apps.tempicons/signal.png

6. At this point you should be all set. Ensure Qubes knows about the new menu item you created by starting the fedora-23 template VM and then running in a dom0 terminal: qvm-sync-appmenus fedora-23

7. You should now be able to go back to the GUI and from the Q menu: Q -> Domain: Signal -> Signal: Add more shortcuts...
In the window that will appear, you should now have "Signal Private Messenger" on the left list of available apps. I moved this to the "Selected" list and hit OK, which put the entry in my Q menu.

8. Then I went to Q -> Domain: Signal. I right-clicked on "Signal:Signal Private Messenger" and selected "Add to panel".

9. Success! I now have a button in my KDE panel with which I can launch Signal with one click.

Hope these steps get documented in the wiki (I'm not attempting a direct edit lest I break something) and are helpful to people.

Alex

IX4 Svs

unread,
Sep 13, 2016, 6:41:01 PM9/13/16
to Andrew David Wong, qubes...@googlegroups.com
Alas, even after doing this "the right way" the shortcut disappears from the panel, via no action of my own... I notice that the menu entry I created for "Signal Private Messenger" no longer has an icon. Not sure what may have triggered this. So for me, the proper way of creating arbitrary shortcuts (that are not wiped away without user interaction) is still opaque.

Marek Marczykowski-Górecki

unread,
Sep 14, 2016, 4:26:44 AM9/14/16
to IX4 Svs, Andrew David Wong, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content of /var/lib/qubes/vm-templates/fedora-23/apps.templates (and
other apps.* there) is generated based on /usr/share/applications and
/usr/local/share/applications in the VM. This include removing from dom0
files not present in the VM.
So, instead of copying files manually to dom0, place them in one of
those directories (I suggest /usr/share/applications, as it is shared
with AppVMs), and then request synchronization to dom0:

qvm-sync-appmenus fedora-23

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJX2Qm9AAoJENuP0xzK19csnwgIAIKQzRpdUzSD6ZNdGSYoBW+C
TgmdY5ktAm3ozpYKjNmhUYx6dRdfb+Taf4s2KVKWK15ANNtLyaAfGlxpr6AZeGBj
IsPFqs2G+YPiPCRl/qr23pY5hVobjmuZpi8qkREH6W6AfIfDiRJ71U8lSbagObU6
HJu/5MTREdsDpv7V6v/p60SItRWJl3EN/MIOU98S3QM2AaFbMk6xwDzNz+v5PfQH
VzVJXO98f+Y+8eR2DBUB79gaPr3HsgqLEtA5HdfU+0p6gh6M3KFVLE5zsnmk/Ki5
cbs3HiwLsXLRBDUPrTd1R/r5CZCRHJbgvQ+OwBQZ8kXH0HIebdk2O2AcO2AxCz8=
=9V9L
-----END PGP SIGNATURE-----

IX4 Svs

unread,
Sep 17, 2016, 10:52:20 AM9/17/16
to Marek Marczykowski-Górecki, Andrew David Wong, qubes...@googlegroups.com
Okay, this looks like a much more reasonable approach, but still no cigar for me.

I copied SignalVM::/home/user/Desktop/chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.desktop to fedora23::/usr/share/applications and then ran dom0::qvm-sync-appmenus fedora-23

It complained "Failed to get icon for chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.desktop: No icon received", so I also copied SignalVM::/home/user/.local/share/icons/hicolor/48x48/apps/chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.png to fedora23::/usr/share/icons/hicolor/48x48/ . I then re-ran dom0::qvm-sync-appmenus fedora-23 and this time it did not complain. Indeed, I now have a menu item with a nice icon available in all menus of my AppVM.

But enabling the menu item for the SignalVM and then clicking it, does not actually launch the application - it has no visible effect, just a small icon bouncing briefly, then no window. The SignalVM starts, but the application doesn't.

Clicking the original .desktop shortcut created inside SignalVM continues to work fine.


Contents of the (working) SignalVM:/home/user/Desktop/chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.desktop:
#!/usr/bin/env xdg-open
[Desktop Entry]
Version=1.0
Terminal=false
Type=Application
Name=Signal Private Messenger
Exec=/usr/lib64/chromium-browser/chromium-browser.sh --profile-directory=Default --app-id=bikioccmkafdpakkkcpdbppfkghcmihk
Icon=chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default
StartupWMClass=crx_bikioccmkafdpakkkcpdbppfkghcmihk

Contents of the (non-working) dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.desktop:

[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
X-Qubes-VmName=%VMNAME%
Icon=%VMDIR%/apps.icons/chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.png
Name=%VMNAME%: Signal Private Messenger
Exec=qvm-run -q --tray -a %VMNAME% -- 'qubes-desktop-run /usr/share/applications/chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.desktop'

Have I done something wrong here, or has something been long in "translation" by the qvm-sync-appmenus script?

Alex

Marek Marczykowski-Górecki

unread,
Sep 17, 2016, 6:41:08 PM9/17/16
to IX4 Svs, Andrew David Wong, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Both files looks ok. What happens when you execute that qvm-run command
from dom0 terminal? Try adding --pass-io option to get more details. And
replace %VMNAME% with actual VM name of course.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJX3cZ+AAoJENuP0xzK19csHwUH/0OCvAb1ZOJFjJn/vFSLH3AI
jCOFHhwtIkaSH+DF0nvfPcuobRrJRRcWY3l1JKMGBot8C7tsC7fQz9KpjFmc0r88
mZTpdl/BnT6iCzkmFExxX5tc/bp3DoZs6eJQ8hdduevwMvBL2lP+BoJ9QSxK7DDP
Ex2BwIS0OkB2+ES3PitrLbxhHu6c0zLRTvS9w3tPpCUv8Mx1VeNeOVPuAPjznXhC
6MlFpG+ih6qpVVY/5kWi6mm55WRl6HlsgC3/cXcQPx999lj95mQi24cqmctG65Cl
dsCy0q6s2jAwakE0LalCPsQQczyOzwRO8akWkj0g9C/+iv3Wxyx2HT/Ihci0pF8=
=U7aT
-----END PGP SIGNATURE-----

IX4 Svs

unread,
Sep 18, 2016, 4:10:00 PM9/18/16
to Marek Marczykowski-Górecki, Andrew David Wong, qubes...@googlegroups.com
It exits with status 1 after 0.3 seconds with:

[user@dom0 ~]$ qvm-run -q --tray --pass-io -a Signal -- 'qubes-desktop-run /usr/share/applications/chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.desktop'
Traceback (most recent call last):
  File "/usr/bin/qubes-desktop-run", line 7, in <module>
    launch(*sys.argv[1:])
  File "/usr/lib64/python2.7/site-packages/qubes/xdg.py", line 8, in launch
    launcher = Gio.DesktopAppInfo.new_from_filename(desktop)
TypeError: constructor returned NULL
[user@dom0 ~]$ 

Alex

Marek Marczykowski-Górecki

unread,
Sep 18, 2016, 4:13:54 PM9/18/16
to IX4 Svs, Andrew David Wong, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, Sep 18, 2016 at 09:09:58PM +0100, IX4 Svs wrote:
> On Sat, Sep 17, 2016 at 11:41 PM, Marek Marczykowski-Górecki <
> marm...@invisiblethingslab.com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On Sat, Sep 17, 2016 at 03:52:17PM +0100, IX4 Svs wrote:
> > > On Wed, Sep 14, 2016 at 9:26 AM, Marek Marczykowski-Górecki <
> > > marm...@invisiblethingslab.com> wrote:
> > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA256
> > > >
> > > Icon=%VMDIR%/apps.icons/chrome-bikioccmkafdpakkkcpdbppfkghcmi
> > hk-Default.png
> > > Name=%VMNAME%: Signal Private Messenger
> > > Exec=qvm-run -q --tray -a %VMNAME% -- 'qubes-desktop-run
> > > /usr/share/applications/chrome-bikioccmkafdpakkkcpdbppfkghcmi
> > hk-Default.desktop'
> > >
> > > Have I done something wrong here, or has something been long in
> > > "translation" by the qvm-sync-appmenus script?
> >
> > Both files looks ok. What happens when you execute that qvm-run command
> > from dom0 terminal? Try adding --pass-io option to get more details. And
> > replace %VMNAME% with actual VM name of course.
> >
>
> It exits with status 1 after 0.3 seconds with:
>
> [user@dom0 ~]$ qvm-run -q --tray --pass-io -a Signal -- 'qubes-desktop-run
> /usr/share/applications/chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.desktop'
> Traceback (most recent call last):
> File "/usr/bin/qubes-desktop-run", line 7, in <module>
> launch(*sys.argv[1:])
> File "/usr/lib64/python2.7/site-packages/qubes/xdg.py", line 8, in launch
> launcher = Gio.DesktopAppInfo.new_from_filename(desktop)
> TypeError: constructor returned NULL
> [user@dom0 ~]$

Check if all required files do exists in Signal VM. This include
.desktop file, and the one pointed by Exec= line. Maybe there is some
broken symlink?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJX3vV8AAoJENuP0xzK19csiWgIAJD9fuBrs+HjuQdEffKMxxvS
hRoU6rhr4hIh2rm4sFXjKzOXSmRrzMtk9/QR4/fJdNdUMB+H5DLdDDteDv7CNC56
FYoYGcdhhvRIPlgU4jIfLJnSn6DMPDg1A/Ia4Vuo59TqsdCmLoB7sIWF/rIfB7Ls
CxfHJw3NinLbYleUmc7mZbcrnC2QmK5Ktgx2jIQvX2DYf7PUQM0fDOt2duHnm0VA
UNgUQF4WRLfe290hItd3wbcIe6zqvLxl2Z2wz4i2uHJ9GXkZDlO5yzJKFOaWq+kl
kDrvkFC02KJAsyWNLRRCn/K0RvlJeYD7tXlqGmvbymoJBHiQJHGnxwzMDMrjru8=
=9mpD
-----END PGP SIGNATURE-----

IX4 Svs

unread,
Sep 18, 2016, 4:32:09 PM9/18/16
to Marek Marczykowski-Górecki, Andrew David Wong, qubes...@googlegroups.com
You're right. On Signal VM, /usr/share/applications/chrome-bikioccmkafdpakkkcpdbppfkghcmihk-Default.desktop was simply not there. I could swear I copied it there with
sudo cp <original shortcut> .

I copied it (I believe) again and it now works as expected - all shortcuts launch Signal correctly. Thank you for the troubleshooting assistance. I will document this in the wiki with Andrew's blessing.

Alex

dlme...@gmail.com

unread,
Sep 22, 2016, 3:57:01 AM9/22/16
to qubes-users
On Monday, 15 August 2016 20:43:18 UTC+10, pixel fairy wrote:
> On Sunday, August 14, 2016 at 3:22:30 PM UTC-7, Alex wrote:
> ...
> > 1. Install the Chromium browser in your appvm template - skip if you were already using it. Shut down the template VM.
>
> I keep wondering how safe chromium browser is. do redhat or debian track updates in time with google-chrome?


Chromium in the supported Fedora template for Qubes (FC23) contains High severity security bugs:

FC23 = 52.0.2743.116-10.fc23.
FC24 = 53.0.2785.113-1.fc24.

See: https://apps.fedoraproject.org/packages/chromium (for builds)

Numerous security vulnerabilities, including High severity CVE's here:
https://googlechromereleases.blogspot.com.au/2016/09/stable-channel-update-for-desktop_13.html

Newer RPMs available here, but haven't been tagged to either updates or updates-testing for FC23:

http://koji.fedoraproject.org/koji/buildinfo?buildID=802754

se...@redhat.com

unread,
Sep 22, 2016, 2:11:33 PM9/22/16
to qubes-users, dlme...@gmail.com


So what you're saying is we should move to Fedora 24.

dlme...@gmail.com

unread,
Sep 22, 2016, 5:56:15 PM9/22/16
to qubes-users, dlme...@gmail.com, se...@redhat.com

Sure. However, FC23 is still listed as a supported release: https://fedoraproject.org/wiki/Releases#Current_Supported_Releases. Maybe only "Critical" security fixes would make it to FC23 though, not "High" (https://www.chromium.org/developers/severity-guidelines), but people likely assume otherwise. Note also that Chromium is not listed as a Critical Path package, unlike Firefox.

dlme...@gmail.com

unread,
Sep 23, 2016, 3:52:48 AM9/23/16
to qubes-users, dlme...@gmail.com, se...@redhat.com


Qubes 3.1 doesn't have an fc24 template.
Qubes 3.2 won't be released with fc23 because it's too late in testing, but will (does currently for the RC) have an fc24 template available.

It looks like chromium-53.0.2785.116-1.fc23 should now be in 'updates-testing' repo (since 2016-09-21 17:43:43Z), but it hasn't propagated far.

Out of 6 mirrors in Australia, only one here even had the previous 53.0.2785.113-1.fc23.x86_64, in 'updates-testing', which is now ~8 days old.

YMMV, but looks like Fedora needs to drop some consistently slow mirrors: https://admin.fedoraproject.org/mirrormanager/propgation

Also, if fc23 users want Chromium, it needs package testers. https://fedoraproject.org/wiki/QA:Updates_Testing.

Reply all
Reply to author
Forward
0 new messages