Installing app on template when it requires signing?

63 views
Skip to first unread message

Stumpy

unread,
Sep 16, 2017, 9:12:37 PM9/16/17
to Qubes users
I tried installing sonarr and it apparently requires that the repo be
signed. I thought no problem until I tried:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
FDA5DFFC
and I got:
gpg: keyserver receive failed: No route to host
I figure I should be able to download the key from appvm but am not sure
how to do that as I tried the "sudo apt-ket" line from above and I guess
it installed the key on the appvm instead of dl'd it, or perhaps it dl'd
it but I don't know to where.
Thoughts on how to get around this?


Franz

unread,
Sep 16, 2017, 9:52:25 PM9/16/17
to stu...@posteo.co, Qubes users
Try to open the firewall on template for 5 minute, there a flag on Qubes Manager

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d5ca1c2642219e5e2a858e260eeaca61%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Stumpy

unread,
Sep 17, 2017, 10:00:19 AM9/17/17
to Franz, Qubes users
Yeah that worked. Thx!

Just for my own education, why does the fw allow me to install other
things via apt-get but not via apt-key? Is it just a question of rules?

On 17.09.2017 03:52, Franz wrote:
> On Sat, Sep 16, 2017 at 10:12 PM, Stumpy <stu...@posteo.co> wrote:
>
>> I tried installing sonarr and it apparently requires that the repo
>> be signed. I thought no problem until I tried:
>> sudo apt-key adv --keyserver keyserver.ubuntu.com [1]
>> --recv-keys FDA5DFFC
>> and I got:
>> gpg: keyserver receive failed: No route to host
>> I figure I should be able to download the key from appvm but am not
>> sure how to do that as I tried the "sudo apt-ket" line from above
>> and I guess it installed the key on the appvm instead of dl'd it, or
>> perhaps it dl'd it but I don't know to where.
>> Thoughts on how to get around this?
>
> Try to open the firewall on template for 5 minute, there a flag on
> Qubes Manager
>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to qubes-users...@googlegroups.com.
>> To post to this group, send email to qubes...@googlegroups.com.
>> To view this discussion on the web visit
>>
> https://groups.google.com/d/msgid/qubes-users/d5ca1c2642219e5e2a858e260eeaca61%40posteo.net
>> [2].
>> For more options, visit https://groups.google.com/d/optout [3].
>
>
>
> Links:
> ------
> [1] http://keyserver.ubuntu.com
> [2]
> https://groups.google.com/d/msgid/qubes-users/d5ca1c2642219e5e2a858e260eeaca61%40posteo.net
> [3] https://groups.google.com/d/optout

Unman

unread,
Sep 17, 2017, 12:53:07 PM9/17/17
to Stumpy, Franz, Qubes users
On Sun, Sep 17, 2017 at 04:00:15PM +0200, Stumpy wrote:
> Yeah that worked. Thx!
>
> Just for my own education, why does the fw allow me to install other things
> via apt-get but not via apt-key? Is it just a question of rules?
>
> On 17.09.2017 03:52, Franz wrote:
> > On Sat, Sep 16, 2017 at 10:12 PM, Stumpy <stu...@posteo.co> wrote:
> >
> > > I tried installing sonarr and it apparently requires that the repo
> > > be signed. I thought no problem until I tried:
> > > sudo apt-key adv --keyserver keyserver.ubuntu.com [1]
> > > --recv-keys FDA5DFFC
> > > and I got:
> > > gpg: keyserver receive failed: No route to host
> > > I figure I should be able to download the key from appvm but am not
> > > sure how to do that as I tried the "sudo apt-ket" line from above
> > > and I guess it installed the key on the appvm instead of dl'd it, or
> > > perhaps it dl'd it but I don't know to where.
> > > Thoughts on how to get around this?
> >
> > Try to open the firewall on template for 5 minute, there a flag on
> > Qubes Manager
> >

I know this worked, but it's not necessary and not good practice.

The Templates , by default, are restricted to connecting to the update
proxy service on an upstream qube. (This is tinyproxy.)
If you look here you will find an explanation of this:
www.qubes-os.org/doc/software-update-vm in the "Updates proxy" section.

On the template you are updating there is a qubes-proxy file in
/etc/apt/apt.conf.d/01qubes-proxy. If you look at that fie you will see
that it contains a directive for apt to use the proxy for Acquire::http
That's why apt-get works.

apt-key doesn't reference this file, which is why it's blocked by the
firewall.
You can force use of a proxy calling apt-key like this:
"apt-key adv --keyserver-options http-proxy=http://proxy:port..."

What's wrong with opening the firewall? Beside the fact that you are
potentially compromising the template, (and so all qubes based on it),
there's a bug which means that the firewall doesn't reset after 5
minutes but remains open.

What's the alternative? A simple solution would be to download the key
in a disposableVM (or two using different sources), and then copy it to
the Template using qvm-copy. Most keyservers offer a searchable web
interface to help you find the key you want.
An advantage of doing this is that you are training yourself to use
Qubes to enhance your security. So if you have a work email qube that
is restricted to the mail server at work, you wont be tempted to open up
the firewall because you know there's a better way.

unman

Stumpy

unread,
Sep 17, 2017, 2:18:17 PM9/17/17
to Unman, Franz, Qubes users
Thanks for the detailed explaination, really appreciate it.

I had tried to dl the key but I guess I just don't understand it well
enough as I wasn't able to make it work (though knowing that there might
be a search on the site to look for the key might change things).

You menionted restricting a vm to specific servers, I actually meant to
ask about that but have kept forgetting. I would very much like to
restrict a few of my VMs. It wasn't obvious to me exactly how one would
do that though? Would that be via the vm manager -> settings -> firewall
rules?
Reply all
Reply to author
Forward
0 new messages