Hi Nicola, welcome to Qubes.
There are instructions which you may have missed
here
If you found them, I’m sorry they were not clear.
When you want to install a package in Qubes you should check the
signature, just as you did when you were installing Qubes and checked the
signature on the iso you downloaded.
If you are installing or updating packages using the native tools - like the
Update tool - this is all done for you automatically.
If you get a package from some other source you have to manually check
it for yourself - this is particularly important when installing
something in to dom0, as a mistake here can compromise the whole system.
Packages are usually signed with a PGP key, and you confirm they are
unchanged using gpg
, or rpm
.
Start by downloading the package in a disposable qube.
Also find and download the key that was used to sign the package.
There are very detailed instructions for working with the Qubes keys
here
My instructions are far less detailed.
My packages are always signed with my Qubes signing key - you can get
copies of this in many places. When you download it, check the signature
using gpg -n --import --import-options import-show UNMAN.PUB
- the
signature should be 4B1F 400D F256 51B5 3C41 41B3 8B3F 30F9 C8C0 C2EF
(Replace UNMAN.PUB with the name you gave to the key you downloaded.)
Then you can check the signature on the package like this.
rpmkeys --import UNMAN.PUB
rpm -K PACKAGE_NAME
If all has gone well you will see output with digests signature OK
Open a terminal in dom0 - copy the files in to dom0 as explained here
Do it all again - check the signature on the key, import the key, check
the signature on the package.
If you are happy, move the key to /etc/pki/rpm-gpg/RPM-GPG-KEY-unman, and install the package:
sudo mv UNMAN.PUB /etc/pki/rpm-gpg/RPM-GPG-KEY-unman
qvm-template install --keyring /etc/pki/rpm-gpg/RPM-GPG-KEY-unman FULL_PATH_TO_DOWNLOADED_TEMPLATE
It seems long winded, but you must be confident in these packages.
Once you’ve done it once for a key you only really need to do the last
step in dom0: qvm-template install --keyring /etc/pki/rpm-gpg/RPM-GPG-KEY-unman FULL_PATH_TO_DOWNLOADED_TEMPLATE
If the package wasnt signed with the key you specify, it wont be
installed.
Of course, when you install an unofficial package you have to trust the
person who produced it.
Those templates are built for 4.1, and I havent yet released Ubuntu
templates for 4.2 - they may or may not work on 4.2
I hope there’s enough here to get you started. If you encounter any
problems, please ask.