Chrome browser installation
1,476 views
Skip to first unread message
Raymond Rizzuto
Mar 27, 2015, 8:28:28 PM3/27/15
to qubes...@googlegroups.com
I succeeded in installing the Chrome browser with the following procedure, however I am not sure this is optimal:
In the template vm, after disabling the firewall temporarily
- followed instruction in http://www.if-not-true-then-false.com/2010/install-google-chrome-with-yum-on-fedora-red-hat-rhel/
- the yum install failed with:
Retrieving key from https://dl-ssl.google.com/linux/linux_signing_key.pub
GPG key retrieval failed: [Errno 14] curl#22 - "The requested URL returned error: 403"
GPG key retrieval failed: [Errno 14] curl#22 - "The requested URL returned error: 403"
- emacs /etc/yum.repos.d/google-chrome.repo - changed gpgcheck to 0, reran the yum command from the web site
I'm bothered about the need to turn off gpgcheck. It makes me wonder if I really installed the "official" chrome browser. Anyone have a better procedure?
SInce I am still playing around, I may end up reinstalling Qubes from scratch and reapplying the correct procedure.
Marek Marczykowski-Górecki
Mar 28, 2015, 5:52:50 AM3/28/15
to Raymond Rizzuto, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Mar 27, 2015 at 05:28:27PM -0700, Raymond Rizzuto wrote:
> I succeeded in installing the Chrome browser with the following procedure,
> however I am not sure this is optimal:
>
> In the template vm, after disabling the firewall temporarily
>
> - followed instruction in
> http://www.if-not-true-then-false.com/2010/install-google-chrome-with-yum-on-fedora-red-hat-rhel/
> - the yum install failed with:
>
> Retrieving key from https://dl-ssl.google.com/linux/linux_signing_key.pub
>
>
> GPG key retrieval failed: [Errno 14] curl#22 - "The requested URL returned
> error: 403"
This looks to be blocked up updates proxy used in Qubes. The purpose of
this proxy is to allow access only to the updates from some repository.
The key is not a part of the repository, thus is blocked. You need to
download the key manually, somehow verify it, then import it using sudo
rpm --import.
> - emacs /etc/yum.repos.d/google-chrome.repo - changed gpgcheck to 0, reran
> the yum command from the web site
>
> I'm bothered about the need to turn off gpgcheck. It makes me wonder if I
> really installed the "official" chrome browser. Anyone have a better
> procedure?
>
> SInce I am still playing around, I may end up reinstalling Qubes from
> scratch and reapplying the correct procedure.
>
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVFnnqAAoJENuP0xzK19cso/YH/0B1xnLrTu9nKMITqQdCiEXB
r0isF76Awe08/MUjjy9badBZZbM8xAQkKOM4dqGjQ5gOcEnI79vXsvSJKjJsMUW2
fy5JCqqGAcWbOf+8iOoZuEuLyTduBZMAUZWdpm14lTTW4s0GhEvLhGPBp5K5JB9Q
x5rqaOEqq9wPkH88sZu8Uf9tijVBgpfkhhtmyCBPW/pEWNt+7R+K0BUw1N3frJsr
LeBhCHp+jZPFphVrw9Gh6/zfGQCMQza18aCaLBKuw66cQWsP5RFbhUk8n4XrQ27n
vb6J9wt16UpBc7NXE11xyGLpNQZW4RNjjb5RQOmSJA8xKv08aMOgSHPxor104gY=
=zC1b
-----END PGP SIGNATURE-----
Hash: SHA1
On Fri, Mar 27, 2015 at 05:28:27PM -0700, Raymond Rizzuto wrote:
> I succeeded in installing the Chrome browser with the following procedure,
> however I am not sure this is optimal:
>
> In the template vm, after disabling the firewall temporarily
>
> - followed instruction in
> http://www.if-not-true-then-false.com/2010/install-google-chrome-with-yum-on-fedora-red-hat-rhel/
> - the yum install failed with:
>
> Retrieving key from https://dl-ssl.google.com/linux/linux_signing_key.pub
>
>
> GPG key retrieval failed: [Errno 14] curl#22 - "The requested URL returned
> error: 403"
this proxy is to allow access only to the updates from some repository.
The key is not a part of the repository, thus is blocked. You need to
download the key manually, somehow verify it, then import it using sudo
rpm --import.
> - emacs /etc/yum.repos.d/google-chrome.repo - changed gpgcheck to 0, reran
> the yum command from the web site
>
> I'm bothered about the need to turn off gpgcheck. It makes me wonder if I
> really installed the "official" chrome browser. Anyone have a better
> procedure?
>
> SInce I am still playing around, I may end up reinstalling Qubes from
> scratch and reapplying the correct procedure.
>
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVFnnqAAoJENuP0xzK19cso/YH/0B1xnLrTu9nKMITqQdCiEXB
r0isF76Awe08/MUjjy9badBZZbM8xAQkKOM4dqGjQ5gOcEnI79vXsvSJKjJsMUW2
fy5JCqqGAcWbOf+8iOoZuEuLyTduBZMAUZWdpm14lTTW4s0GhEvLhGPBp5K5JB9Q
x5rqaOEqq9wPkH88sZu8Uf9tijVBgpfkhhtmyCBPW/pEWNt+7R+K0BUw1N3frJsr
LeBhCHp+jZPFphVrw9Gh6/zfGQCMQza18aCaLBKuw66cQWsP5RFbhUk8n4XrQ27n
vb6J9wt16UpBc7NXE11xyGLpNQZW4RNjjb5RQOmSJA8xKv08aMOgSHPxor104gY=
=zC1b
-----END PGP SIGNATURE-----
Raymond Rizzuto
Mar 28, 2015, 9:44:39 AM3/28/15
to qubes...@googlegroups.com, ray.r...@gmail.com
I think I had the error even though I disabled the firewall temporarily during the install that failed.
I'll uninstall and try it again. If not I'll import the key manually.
Marek Marczykowski-Górecki
Mar 28, 2015, 3:01:17 PM3/28/15
to Raymond Rizzuto, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
disable updates proxy (which is a bad idea), there is separate option
for that in firewall tab (it will work only when you select it before
template start).
> I'll uninstall and try it again. If not I'll import the key manually.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVFvpvAAoJENuP0xzK19csmlIIAIzaf+LTHbE9OPOQXBZ4wMHi
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
mJjjueaqUbWcOvNta+bcgNOXOly5GZp0SG3EN89DP0w/cEEShuJ7srErHwtdiU2o
JjlGS9Deup2cr63oNIcfWJ7vT7pW2YUNGPz1paul6E3xFftGcobiPgFTYjBeqakr
dQENGM7p5hKorikgohaSwD4vQNFEK8Qvuem+3pcP49RzsjznwsqIlXn8zY5uaZ5J
z+kvzpgKfErrUWuYNMRovxcPUZDKeHOCuKQYn+9ZKIlZahBIx+DA/nyivozeORjo
+46AuHl7AaFPTQFm9kUN/yZxQlRoLbnQQU501yUf3DSxT5cqbh1Si6/DNFjXgYk=
=RTdf
-----END PGP SIGNATURE-----
Fredrik Strömberg
Mar 28, 2015, 3:54:14 PM3/28/15
to qubes...@googlegroups.com
On Sat, Mar 28, 2015 at 8:01 PM, Marek Marczykowski-Górecki
<marm...@invisiblethingslab.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, Mar 28, 2015 at 06:44:38AM -0700, Raymond Rizzuto wrote:
>>
>>
>> On Saturday, March 28, 2015 at 5:52:50 AM UTC-4, Marek Marczykowski-Górecki
>> wrote:
>> >
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > On Fri, Mar 27, 2015 at 05:28:27PM -0700, Raymond Rizzuto wrote:
>> > > I succeeded in installing the Chrome browser with the following
>> > procedure,
>> > > however I am not sure this is optimal:
>> > >
Hi!
<marm...@invisiblethingslab.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, Mar 28, 2015 at 06:44:38AM -0700, Raymond Rizzuto wrote:
>>
>>
>> On Saturday, March 28, 2015 at 5:52:50 AM UTC-4, Marek Marczykowski-Górecki
>> wrote:
>> >
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > On Fri, Mar 27, 2015 at 05:28:27PM -0700, Raymond Rizzuto wrote:
>> > > I succeeded in installing the Chrome browser with the following
>> > procedure,
>> > > however I am not sure this is optimal:
>> > >
Here's how I do it.
1. Start a new DisposableVM and download Chrome from
https://www.google.com/chrome (using Firefox)
2. When it's downloaded select "Open Containing Folder"
3. Right-click and "Move to other AppVM" (move it to your template)
4. Open a terminal in your TemplateVM and install using "sudo yum
install PACKAGE". The package will be in ~/QubesIncoming/
Security considerations:
Using a newly started DisposableVM to browse to google.com/chrome and
download the file decreases the attack surface. Using the browser in
your template opens you up to the risk of malware persistently
infecting it through Firefox vulns. Make sure you're downloading the
file over HTTPS to assure integrity. After installing Chrome the file
google-chrome.repo will be added to /etc/yum.repos.d with gpgcheck=1.
Note that you're not relying on the broken CA system when doing this,
as Firefox uses certificate pinning for google.com. See
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
I'd also recommend cloning the template before experimenting. I have a
few templates for production and clone them whenever I want to try
something.
I hope this helps.
Cheers,
Fredrik Strömberg
Raymond Rizzuto
Mar 28, 2015, 5:16:12 PM3/28/15
to qubes...@googlegroups.com
Thanks. That seems like a reasonable approach. I guess the only downside of having multiple template VMs (e.g. one with and one without flash) is that if you later want to use package Z in all the AppVM's derived from the templates, you would need to install package Z in all the template VMs.
Raymond Rizzuto
Mar 28, 2015, 10:39:32 PM3/28/15
to qubes...@googlegroups.com
I uninstalled flash in the template vm, but when I started chrome in the personal vm, it still played flash. That's when I found out that Chrome has an embedded version of flash, which can be turned off via chrome://plugins. Is the embedded one any more secure than the external one?
Reply all
Reply to author
Forward
0 new messages