On 17.09.2017 18:53, Unman wrote:
On Sun, Sep 17, 2017 at 04:00:15PM +0200, Stumpy wrote:
Yeah that worked. Thx!

Just for my own education, why does the fw allow me to install other things
via apt-get but not via apt-key? Is it just a question of rules?

On 17.09.2017 03:52, Franz wrote:
> On Sat, Sep 16, 2017 at 10:12 PM, Stumpy <stu...@posteo.co> wrote:
>
> > I tried installing sonarr and it apparently requires that the repo
> > be signed. I thought no problem until I tried:
> > sudo apt-key adv --keyserver keyserver.ubuntu.com [1]
> > --recv-keys FDA5DFFC
> > and I got:
> > gpg: keyserver receive failed: No route to host
> > I figure I should be able to download the key from appvm but am not
> > sure how to do that as I tried the "sudo apt-ket" line from above
> > and I guess it installed the key on the appvm instead of dl'd it, or
> > perhaps it dl'd it but I don't know to where.
> > Thoughts on how to get around this?
>
> Try to open the firewall on template for 5 minute, there a flag on
> Qubes Manager
>

I know this worked, but it's not necessary and not good practice.

The Templates , by default, are restricted to connecting to the update
proxy service on an upstream qube. (This is tinyproxy.)
If you look here you will find an explanation of this:
www.qubes-os.org/doc/software-update-vm in the "Updates proxy" section.

On the template you are updating there is a qubes-proxy file in
/etc/apt/apt.conf.d/01qubes-proxy. If you look at that fie you will see
that it contains a directive for apt to use the proxy for Acquire::http
That's why apt-get works.

apt-key doesn't reference this file, which is why it's blocked by the
firewall.
You can force use of a proxy calling apt-key like this:
"apt-key adv --keyserver-options http-proxy=http://proxy:port...";

What's wrong with opening the firewall? Beside the fact that you are
potentially compromising the template, (and so all qubes based on it),
there's a bug which means that the firewall doesn't reset after 5
minutes but remains open.

What's the alternative? A simple solution would be to download the key
in a disposableVM (or two using different sources), and then copy it to
the Template using qvm-copy. Most keyservers offer a searchable web
interface to help you find the key you want.
An advantage of doing this is that you are training yourself to use
Qubes to enhance your security. So if you have a work email qube that
is restricted to the mail server at work, you wont be tempted to open up
the firewall because you know there's a better way.

unman


Thanks for the detailed explaination, really appreciate it.

I had tried to dl the key but I guess I just don't understand it well enough as I wasn't able to make it work (though knowing that there might be a search on the site to look for the key might change things).

You menionted restricting a vm to specific servers, I actually meant to ask about that but have kept forgetting. I would very much like to restrict a few of my VMs. It wasn't obvious to me exactly how one would do that though? Would that be via the vm manager -> settings -> firewall rules?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af379a24c57a7833ff6ef7ed6fdb49df%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to