Separate download and verify in qubesbuilder v2
18 views
Skip to first unread message
m...@alex0.net
May 25, 2025, 12:01:56 AMMay 25
to qubes...@googlegroups.com
Hi,
Is there an accepted way to perform commit and archive verification independently from the download process in qubesbuilder v2? Looking at the fetch scripts it seems like both steps are combined. Even if it’d be executed in a dvm, it feels like it breaks the Qubes security model for a qube with internet access to enforce signature verification on code that will eventually (after compilation and packaging) be transferred to dom0. Ideally what I’d like to do is download and verify once on an internet-connected qube, transfer sources to the airgap development environment via qvm-copy, and then verify again before building.
Best,
Alex
Is there an accepted way to perform commit and archive verification independently from the download process in qubesbuilder v2? Looking at the fetch scripts it seems like both steps are combined. Even if it’d be executed in a dvm, it feels like it breaks the Qubes security model for a qube with internet access to enforce signature verification on code that will eventually (after compilation and packaging) be transferred to dom0. Ideally what I’d like to do is download and verify once on an internet-connected qube, transfer sources to the airgap development environment via qvm-copy, and then verify again before building.
Best,
Alex
Reply all
Reply to author
Forward
0 new messages