I hate to clutter anybody's inbox, but unman deserves a thank you for this reply and for his many quite informed contributions to this group. People's lives depend on good internet security particularly in view of all the craziness going on in the world today so proprs to unman, Andred Davide, Joanna and everyone else who is collaborating on this project.
On 8/19/19, unman <un...@thirdeyesecurity.org> wrote: > On Sun, Aug 18, 2019 at 12:30:10PM -0700, FenderBender wrote: >> I created a t-multimedia template and successfully installed spotify. >> However, I was unable to find a working gpg command to "cat" the >> spotify.pubkey. (The quebes webpage directs to a stackexchange discussion >> >> which advises a variety of commands, none of which seemed to work on my >> Qubes 4.x t-multimedia template.) >> > Debian-10: > gpg --show-keys spotify.pubkey > > Debian-9: > gpg --with-fingerprint spotify.pubkey > > In both cases, just 'gpg spotify.pubkey' will do > >> Nevertheless, the install proceded. My question is whether it is unsafe >> due >> to being unauthenticated, and also whether, by running "spotify" from the >> >> template terminal, rather than an AppVm, as root, I unecessarily and >> perhaps seriously compromised the integrity of the template. > > Yes it is unsafe. > If you use an unverified key in apt, then you trust the repository > without knowing who is putting files in there. > That's a recipe for disaster. > >> >> When I got to this command: Install Spotify apt-get install -y >> spotify-client >> >> >> it returned a warning to the effect that it >> >> 'failed to authenticate' >> >> So I ran it with "--overide authentication" which allowed me to complete >> the install. >> >> However, >> >> the terminal returned WARNING!THE FOLLOWING PACKAGES COULD NOT BE >> AUTHENTICATD: spotify-client >> >> This is probably caused becuase I was unable to successfully run any kind >> >> of gpg cat command on spotify.keyfile >> >> I plan to install chrome and opera in this or a similar template. >> >> Is this playing with fire or is this warning something that can be >> overlooked? > > Fire indeed. > Once you have checked the fingerprint of the key, (against a number of > different sources), use "apt-key add" to include it in the keys that apt > trusts. > Dont install packages that are not authenticated. > > unman > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/20190819160120.GB31837%40thirdeyesecurity.org. > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This email is confidential to the recipient named in the original. If you receive and are not the named recipient *please delete and notify sender* thank you in advance for your adherence. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAOy3qD_UTzxBvXUTueMPtCSo4W9favuMLd5Wgwqp8fj3CzAhWA%40mail.gmail.com.
