Qube Master

1 view
Skip to first unread message

Ronald Gruzinsky

unread,
Jul 26, 2024, 12:40:38 AMJul 26
to TI-Calculators

Any risks are probably restricted to the Windows qube you are using. You can minimize these risks if you use a dedicated AppVM for these tasks and move any files downloaded to a minimally configured Linux qube - e.g. just containing a PDF viewer and no other software.

The Qubes OS Project uses digitalsignatures to guarantee theauthenticity and integrity of certain important assets. This page explains howto verify those signatures. It is extremely important for your security tounderstand and apply these practices.

Digital signatures can prove both authenticity and integrity to areasonable degree of certainty. Authenticity ensures that a given file wasindeed created by the person who signed it (i.e., that a third party did notforge it). Integrity ensures that the contents of the file have not beentampered with (i.e., that a third party has not undetectably altered itscontents en route).

Digital signatures cannot prove, e.g., that the signed file is notmalicious. In fact, there is nothing that could stop someone from signing amalicious program (and it happens from time to time in reality).

So, what should you do? One option is to use the PGP Web ofTrust. In addition, some operatingsystems include the means to acquire the QMSK securely. For example, onFedora, dnf install distribution-gpg-keys will get you the QMSK along withseveral other Qubes keys. On Debian, your keyring may already contain thenecessary keys.

Instead, what matters is that all the characters are present in exactly thesame order. If even one character is different, the fingerprints should not beconsidered the same. Even if two fingerprints have all the same characters, ifany of those characters are in a different order, sequence, or position, thenthe fingerprints should not be considered the same.

After you have completed these two prerequisite steps, the next step is toobtain the correct RSK. The filename pattern for RSKs isqubes-release-X-signing-key.asc, where X is either a major or minor Qubesrelease number, such as 4 or 4.2. There are several ways to get the RSK foryour Qubes release.

This is just an example, so the output you receive may not look exactly thesame. What matters is the line with a sig! prefix showing that the QMSK hassigned this key. This verifies the authenticity of the RSK. Note that the !flag after the sig tag is important because it means that the key signatureis valid. A sig- prefix would indicate a bad signature, and sig% would meanthat gpg encountered an error while verifying the signature. It is notnecessary to independently verify the authenticity of the RSK, since youalready verified the authenticity of the QMSK.

There are two ways to verify Qubes ISOs: cryptographic hash values and detachedPGP signatures. Both methods are equally secure. Using just one method issufficient to verify your Qubes ISO. Using both methods is not necessary, butyou can do so if you like. One method might be more convenient than another incertain circumstances, so we provide both. This section covers cryptographichash values. For the other method, see how to verify detached PGP signatureson Qubes ISOs.

One convenient property of hash values is that they can be generated on anycomputer. This means, for example, that you can download a Qubes ISO on onecomputer, hash it, then visually compare that hash value to the one yougenerated or have saved on a different computer.

If the filename of your ISO is Qubes-RX-x86_64.iso, then the name of thedigest file for that ISO is Qubes-RX-x86_64.iso.DIGESTS, where X is aspecific release of Qubes. The digest filename is always the same as the ISOfilename followed by .DIGESTS. Since the digest file is a plain text file,you can open it with any text editor. Inside, you should find text that lookssimilar to this:

Four digests have been computed for this ISO. The hash functions used, in orderfrom top to bottom, are MD5, SHA-1, SHA-256, and SHA-512. One way to verifythat the ISO you downloaded matches any of these hash values is by using therespective *sum command:

The OK response tells us that the hash value for that particular hashfunction matches. The program also warns us that there are 23 improperlyformatted lines, but this is expected. This is because each file containslines for several different hash values (as mentioned above), but each *sumprogram verifies only the line for its own hash function. In addition, thereare lines for the PGP signature that the *sum programs do not know how toread. Therefore, it is safe to ignore these warning lines.

However, it is possible that an attacker replaced Qubes-RX-x86_64.iso with amalicious ISO, computed the hash values for that malicious ISO, and replacedthe values in Qubes-RX-x86_64.iso.DIGESTS with his own set of values.Therefore, we should also verify the authenticity of the listed hash values.Since Qubes-RX-x86_64.iso.DIGESTS is a clearsigned PGP file, we can use GPGto verify the signature in the digest file:

This is just an example, so the output you receive will not look exactly thesame. What matters is the line that says Good signature from "Qubes OS ReleaseX Signing Key". This confirms that the signature on the digest file is good.

There are two ways to verify Qubes ISOs: cryptographic hash values and detachedPGP signatures. Both methods are equally secure. Using just one method issufficient to verify your Qubes ISO. Using both methods is not necessary, butyou can do so if you like. One method might be more convenient than another incertain circumstances, so we provide both. This section covers detached PGPsignatures. For the other method, see how to verify the cryptographic hashvalues of QubesISOs.

Every Qubes ISO is released with a detached PGP signature file, which youcan find on the downloads page alongside the ISO. If thefilename of your ISO is Qubes-RX-x86_64.iso, then the name of the signaturefile for that ISO is Qubes-RX-x86_64.iso.asc, where X is a specific releaseof Qubes. The signature filename is always the same as the ISO filenamefollowed by .asc.

Download both the ISO and its signature file. Put both of them in the samedirectory, then navigate to that directory. Now, you can verify the ISO byexecuting this GPG command in the directory that contains both files:

This is just an example, so the output you receive will not look exactly thesame. What matters is the line that says Good signature from "Qubes OS ReleaseX Signing Key". This confirms that the signature on the ISO is good.

This command reads the exact number of bytes from your USB drive as the size ofthe original ISO and pipes them into gpg. The usual form of a gpgverification command is gpg --verify . Our commandis using shell redirection in order to use data from your USB drive as the, which is why the - at the end of the command is required.Remember that you still must have properly imported and trusted theQMSK andappropriate RSK inorder for this to work. You should receive a Good signature message for theappropriate RSK, which should be signed by a copy of the QMSK that youpreviously confirmed to be genuine.

Whenever you use one of the Qubes repositories,you should use Git to verify the PGP signature in a tag on the latest commit oron the latest commit itself. (One or both may be present, but only one isrequired.) If there is no trusted signed tag or commit on top, any commitsafter the latest trusted signed tag or commit should not be trusted. If youcome across a repo with any unsigned commits, you should not add any of yourown signed tags or commits on top of them unless you personally vouch for thetrustworthiness of the unsigned commits. Instead, ask the person who pushed theunsigned commits to sign them.

Your working directory does not contain the required files. Go back and followthe instructions more carefully, making sure that you put all required files inthe same directory and navigate to that directory.

On operating systems like Windows and macOS, the desktop environment isunchangeable and part of that operating system. With Linux, any of a number ofdesktop environments are an option. Qubes OS is installed with XFCE as itsdefault desktop environment, but it also supports KDE, as well asthe window managers i3 and AwesomeWM.

Want to see some examples? Check out our in-depth guide on how to organize yourqubes, which walks through several common usecases based on our user research and years of experience from veteran Qubesusers.

Make sure your hardware satisfies the systemrequirements, as Qubes OS cannot run on every typeof computer. You may also want to check out Qubes-certifiedHardware and take a look at the HardwareCompatibility List (HCL).

I too have a MK2 on the master as a glue. One thing I like about it is that I can alter the sound subtlety or extreme. This helps to add different tonality to the entire song and take it somewhere else. Or I slap it on a bus to process specifics.

Using a FMR RNC on master inserts on Midas 160.
Mainly to glue things and/or give it character.
Changed my mixing approach: I actually often happen to mix into the RNC from scratch and this has opened a whole new mixing experience for me
Would love to try an AH though

I have a pipeline that i would like to integrate SonarQube into so it can analyze my master branch. I created 2 containers on Docker, one with SonarQube running on it and one with a GitLab runner. After following the SonarQube instructions on their website (Link at the bottom of this post) i ran into some trouble. This is my job log:

I have spent multiple hours trying to find a solution and reading thru the documentation but none of them work for me, including: creating new runners, trying to expose ports in docker and making a network bridge between the 2 containers. Has anyone ran into this problem before?

Reply all
Reply to author
Forward
0 new messages