Re: [qubes-users] Installing app on template when it requires signing?

2017-09-17 Thread Stumpy



On 17.09.2017 18:53, Unman wrote:

On Sun, Sep 17, 2017 at 04:00:15PM +0200, Stumpy wrote:

Yeah that worked. Thx!

Just for my own education, why does the fw allow me to install other 
things

via apt-get but not via apt-key? Is it just a question of rules?

On 17.09.2017 03:52, Franz wrote:
> On Sat, Sep 16, 2017 at 10:12 PM, Stumpy  wrote:
>
> > I tried installing sonarr and it apparently requires that the repo
> > be signed. I thought no problem until I tried:
> > sudo apt-key adv --keyserver keyserver.ubuntu.com [1]
> > --recv-keys FDA5DFFC
> > and I got:
> > gpg: keyserver receive failed: No route to host
> > I figure I should be able to download the key from appvm but am not
> > sure how to do that as I tried the "sudo apt-ket" line from above
> > and I guess it installed the key on the appvm instead of dl'd it, or
> > perhaps it dl'd it but I don't know to where.
> > Thoughts on how to get around this?
>
> Try to open the firewall on template for 5 minute, there a flag on
> Qubes Manager
>


I know this worked, but it's not necessary and not good practice.

The Templates , by default, are restricted to connecting to the update
proxy service on an upstream qube. (This is tinyproxy.)
If you look here you will find an explanation of this:
www.qubes-os.org/doc/software-update-vm in the "Updates proxy" section.

On the template you are updating there is a qubes-proxy file in
/etc/apt/apt.conf.d/01qubes-proxy. If you look at that fie you will see
that it contains a directive for apt to use the proxy for Acquire::http
That's why apt-get works.

apt-key doesn't reference this file, which is why it's blocked by the
firewall.
You can force use of a proxy calling apt-key like this:
"apt-key adv --keyserver-options http-proxy=http://proxy:port...;

What's wrong with opening the firewall? Beside the fact that you are
potentially compromising the template, (and so all qubes based on it),
there's a bug which means that the firewall doesn't reset after 5
minutes but remains open.

What's the alternative? A simple solution would be to download the key
in a disposableVM (or two using different sources), and then copy it to
the Template using qvm-copy. Most keyservers offer a searchable web
interface to help you find the key you want.
An advantage of doing this is that you are training yourself to use
Qubes to enhance your security. So if you have a work email qube that
is restricted to the mail server at work, you wont be tempted to open 
up

the firewall because you know there's a better way.

unman



Thanks for the detailed explaination, really appreciate it.

I had tried to dl the key but I guess I just don't understand it well 
enough as I wasn't able to make it work (though knowing that there might 
be a search on the site to look for the key might change things).


You menionted restricting a vm to specific servers, I actually meant to 
ask about that but have kept forgetting. I would very much like to 
restrict a few of my VMs. It wasn't obvious to me exactly how one would 
do that though? Would that be via the vm manager -> settings -> firewall 
rules?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af379a24c57a7833ff6ef7ed6fdb49df%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing app on template when it requires signing?

2017-09-17 Thread Unman
On Sun, Sep 17, 2017 at 04:00:15PM +0200, Stumpy wrote:
> Yeah that worked. Thx!
> 
> Just for my own education, why does the fw allow me to install other things
> via apt-get but not via apt-key? Is it just a question of rules?
> 
> On 17.09.2017 03:52, Franz wrote:
> > On Sat, Sep 16, 2017 at 10:12 PM, Stumpy  wrote:
> > 
> > > I tried installing sonarr and it apparently requires that the repo
> > > be signed. I thought no problem until I tried:
> > > sudo apt-key adv --keyserver keyserver.ubuntu.com [1]
> > > --recv-keys FDA5DFFC
> > > and I got:
> > > gpg: keyserver receive failed: No route to host
> > > I figure I should be able to download the key from appvm but am not
> > > sure how to do that as I tried the "sudo apt-ket" line from above
> > > and I guess it installed the key on the appvm instead of dl'd it, or
> > > perhaps it dl'd it but I don't know to where.
> > > Thoughts on how to get around this?
> > 
> > Try to open the firewall on template for 5 minute, there a flag on
> > Qubes Manager
> > 

I know this worked, but it's not necessary and not good practice.

The Templates , by default, are restricted to connecting to the update
proxy service on an upstream qube. (This is tinyproxy.)
If you look here you will find an explanation of this:
www.qubes-os.org/doc/software-update-vm in the "Updates proxy" section.

On the template you are updating there is a qubes-proxy file in
/etc/apt/apt.conf.d/01qubes-proxy. If you look at that fie you will see
that it contains a directive for apt to use the proxy for Acquire::http
That's why apt-get works.

apt-key doesn't reference this file, which is why it's blocked by the
firewall.
You can force use of a proxy calling apt-key like this:
"apt-key adv --keyserver-options http-proxy=http://proxy:port...;

What's wrong with opening the firewall? Beside the fact that you are
potentially compromising the template, (and so all qubes based on it),
there's a bug which means that the firewall doesn't reset after 5
minutes but remains open.

What's the alternative? A simple solution would be to download the key
in a disposableVM (or two using different sources), and then copy it to
the Template using qvm-copy. Most keyservers offer a searchable web
interface to help you find the key you want.
An advantage of doing this is that you are training yourself to use
Qubes to enhance your security. So if you have a work email qube that
is restricted to the mail server at work, you wont be tempted to open up
the firewall because you know there's a better way.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170917165304.nolbegc5anndd4ql%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing app on template when it requires signing?

2017-09-17 Thread Stumpy

Yeah that worked. Thx!

Just for my own education, why does the fw allow me to install other 
things via apt-get but not via apt-key? Is it just a question of rules?


On 17.09.2017 03:52, Franz wrote:

On Sat, Sep 16, 2017 at 10:12 PM, Stumpy  wrote:


I tried installing sonarr and it apparently requires that the repo
be signed. I thought no problem until I tried:
sudo apt-key adv --keyserver keyserver.ubuntu.com [1]
--recv-keys FDA5DFFC
and I got:
gpg: keyserver receive failed: No route to host
I figure I should be able to download the key from appvm but am not
sure how to do that as I tried the "sudo apt-ket" line from above
and I guess it installed the key on the appvm instead of dl'd it, or
perhaps it dl'd it but I don't know to where.
Thoughts on how to get around this?


Try to open the firewall on template for 5 minute, there a flag on
Qubes Manager


--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit


https://groups.google.com/d/msgid/qubes-users/d5ca1c2642219e5e2a858e260eeaca61%40posteo.net

[2].
For more options, visit https://groups.google.com/d/optout [3].




Links:
--
[1] http://keyserver.ubuntu.com
[2]
https://groups.google.com/d/msgid/qubes-users/d5ca1c2642219e5e2a858e260eeaca61%40posteo.net
[3] https://groups.google.com/d/optout


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4fd284a73c34e0acc05329914e03af59%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing app on template when it requires signing?

2017-09-16 Thread Franz
On Sat, Sep 16, 2017 at 10:12 PM, Stumpy  wrote:

> I tried installing sonarr and it apparently requires that the repo be
> signed. I thought no problem until I tried:
>sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
> FDA5DFFC
> and I got:
>   gpg: keyserver receive failed: No route to host
> I figure I should be able to download the key from appvm but am not sure
> how to do that as I tried the "sudo apt-ket" line from above and I guess it
> installed the key on the appvm instead of dl'd it, or perhaps it dl'd it
> but I don't know to where.
> Thoughts on how to get around this?
>
>
Try to open the firewall on template for 5 minute, there a flag on Qubes
Manager

>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/qubes-users/d5ca1c2642219e5e2a858e260eeaca61%40posteo.net.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCD1%2BNKoJyGu9G7zQ5OZmeZYymrC5yOwa%3DnnafDbE_VOQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Installing app on template when it requires signing?

2017-09-16 Thread Stumpy
I tried installing sonarr and it apparently requires that the repo be 
signed. I thought no problem until I tried:
   sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 
FDA5DFFC

and I got:
  gpg: keyserver receive failed: No route to host
I figure I should be able to download the key from appvm but am not sure 
how to do that as I tried the "sudo apt-ket" line from above and I guess 
it installed the key on the appvm instead of dl'd it, or perhaps it dl'd 
it but I don't know to where.

Thoughts on how to get around this?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d5ca1c2642219e5e2a858e260eeaca61%40posteo.net.
For more options, visit https://groups.google.com/d/optout.