Adding a custom yum repo to dom0

I’m trying to add a private yum repo to dom0. In one of my previous posts, I configured a new appvm to work as my updates vm so I can do my updates over a wireguard connection. I got that all functioning properly for dom0 and template vms, but after attempting to add a repo that points to a custom yum repository, I’m getting errors that look perhaps it has something to do with the trust of a repo?

I see this on dom0:

^C*** ERROR while receiving updates:
Error canonicalizing /var/tmp/qubes-updates-tmpeparz_h0.UNTRUSTED/openssh-8.7p1-1.el8.x86_64.rpm

and on the console of my wireguard updates vm:

‘/usr/lib/qubes/qrexec-client-vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent /var/lib/qubes/dom0-updates/packages/*.rpm’ failed with exit code 1!

Not sure how to debug what qrexec isn’t happy with. If I run this command manually, it just returns with a 1 exit status but no output.

The repo I added is not GPG signed. It’s just a regular yum repo. Template VMs have no issue.

Even if it’s a bad idea to add a repo to dom0, I’d like to understand why this isn’t working to deepen my knowledge of Qubes. I’ll probably not include this repo in dom0 in the end, but it would be nice to understand what’s failing here. If I remove my custom repo, things are happy again.


Not an answer to the question, but may be useful nonetheless

@xxedgexx When I created my own repository of RPM packages, I automated some of the signing work with reuse in mind. If you are somewhat familiar with GitHub and can read a relatively simpke Makefile, you can use that code to create a signed repository of RPM packages.

The description in GitHub contains a link to my own package repository if you want to see it in action, and the file includes usage instructions.

You are likely aware of the main advantage of a signed repository, which is to know exactly what gets installed in your dom0, but note that it also means that you don’t need to trust the service where you host the packages since their content will be verified before use. That means you can maintain a public repo for free, like I do.

Last note: I use split-GPG, but you can replace the value of GPG_CMD if you don’t :slightly_smiling_face: