On Sun, Sep 17, 2017 at 04:00:15PM +0200, Stumpy wrote: > Yeah that worked. Thx! > > Just for my own education, why does the fw allow me to install other things > via apt-get but not via apt-key? Is it just a question of rules? > > On 17.09.2017 03:52, Franz wrote: > > On Sat, Sep 16, 2017 at 10:12 PM, Stumpy <stu...@posteo.co> wrote: > > > > > I tried installing sonarr and it apparently requires that the repo > > > be signed. I thought no problem until I tried: > > > sudo apt-key adv --keyserver keyserver.ubuntu.com  > > > --recv-keys FDA5DFFC > > > and I got: > > > gpg: keyserver receive failed: No route to host > > > I figure I should be able to download the key from appvm but am not > > > sure how to do that as I tried the "sudo apt-ket" line from above > > > and I guess it installed the key on the appvm instead of dl'd it, or > > > perhaps it dl'd it but I don't know to where. > > > Thoughts on how to get around this? > > > > Try to open the firewall on template for 5 minute, there a flag on > > Qubes Manager > >
I know this worked, but it's not necessary and not good practice. The Templates , by default, are restricted to connecting to the update proxy service on an upstream qube. (This is tinyproxy.) If you look here you will find an explanation of this: www.qubes-os.org/doc/software-update-vm in the "Updates proxy" section. On the template you are updating there is a qubes-proxy file in /etc/apt/apt.conf.d/01qubes-proxy. If you look at that fie you will see that it contains a directive for apt to use the proxy for Acquire::http That's why apt-get works. apt-key doesn't reference this file, which is why it's blocked by the firewall. You can force use of a proxy calling apt-key like this: "apt-key adv --keyserver-options http-proxy=http://proxy:port..." What's wrong with opening the firewall? Beside the fact that you are potentially compromising the template, (and so all qubes based on it), there's a bug which means that the firewall doesn't reset after 5 minutes but remains open. What's the alternative? A simple solution would be to download the key in a disposableVM (or two using different sources), and then copy it to the Template using qvm-copy. Most keyservers offer a searchable web interface to help you find the key you want. An advantage of doing this is that you are training yourself to use Qubes to enhance your security. So if you have a work email qube that is restricted to the mail server at work, you wont be tempted to open up the firewall because you know there's a better way. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170917165304.nolbegc5anndd4ql%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.