Hi I want to create standard VM not standalone to apps like Spotify, Skype and Signal that are proprietary so I don’t want to install it in template (and also not figured out yet how to do that 
- but since is not recommended I chose to do that other way) . I add all installation commands in rc.local and since this apps are dedicated to networking is not a problem to download it on every VM start (for other proprietary apps I plan to install it from downloaded before deb and only try to upgrade after start). I create appmenus using guide and when VM is started it works. But If VM is shutdown command only starts VM and not starting the app (since is not installed when VM starts). I try to use “&&” to first start VM but it also not work. Is there any way to start app that will be installed after boot of VM? Also how can I obtain this app Icon without coping it to dom0 from the running VM?
so I don’t want to install it in template (and also not figured out yet how to do that
I don’t see anything wrong with doing this:
- clone a template, for example
debian-11todebian-11-Signal. You can do it from the Qube Manager GUI by right-clicking on thedebian-11template you want to clone. - open a terminal in the
debian-11-Signaltemplate and install Signal there - shutdown the template (from the terminal or from the Qube Manager) so that new AppVM qubes will see the changes in the template (the newly-installed Signal app)
- make a qube called
Signalbased on thedebian-11-Signaltemplate.
Obviously this works for any changes you want to make, not just installing Signal. Having the new cloned template won’t affect the other templates or qubes based on them.
You could also directly use the template debian-11-Signal directly (which is similar to just using a standalone qube).
Making the new template would require more space and require you to update two templates instead of one, though.
You could also try using bind-dirs in the AppVM for a setup where you want some directories to persist across a reboot, as well, but I haven’t used bind-dirs a lot so I can’t comment on that further.
And what with internet connection for the template? I read that it is blocked and the updates are only allowed using some other mechanism due to security reason. So to have this hypothetical Signal app up to date I understand that I also have to change some rules(?)/add allowed repos for that template.
I don’t have any problems with using apt install in templates with default settings.
From 3parties repos?
Don’t know.
If the application isn’t part of the main repo I download the .deb package and install it with dpkg -i
So You have no auto updates for it. When You try add signature for 3party app that whats happened:
$ wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
--2022-03-07 09:25:52-- https://updates.signal.org/desktop/apt/keys.asc
Resolving updates.signal.org (updates.signal.org)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘updates.signal.org’
gpg: no valid OpenPGP data found.
and this is intended for security reasons. So I appreciate the idea and I want to do that that way, but this required figuring out how this template proxy work, and allowing connection to app repo.
Ok, I read a bit and the solution is simpler. I just have to download signature elswhere and send it to template VM since networking is only allowed for packages managers. So when You have deb that have signature and link for the repo it will update in the future, also You can add signature from file, and link to repo yourself and it will also work.
I have just make a guide about this. There is also a link there on installing signal:
Templates don’t have internet access by default, except for regular updates/installs.
For the wget I just added sys-whonix as a NetVM to the debian-11-Signal qube for a few seconds until I got the file. I think I needed it for the next steps of the install as well, but that’s it - just a few seconds of internet access to configure Signal. Then I reverted the NetVM back to “none”. You can do it by right-clicking on the template in Qube Manager.
I’ve been using my Signal appVM with no issues since then. Right-clicking the template in Qube Manager and updating it works well - signal-desktop gets the updates normally.
You can of course set sys-firewall or sys-net or whatever as the NetVM, it doesn’t have to be sys-whonix.
Just remember to shutdown the qube after installing Signal.
I don’t think there are any serious security implications if you do this - the template will only be used for Signal so the alternative (standalone) would be always have internet access to a qube with persistent /. This way it’s quick and only affects Signal-related qubes.
Thanks for all the answers. As I wrote before I figured out how to install 3parties software in templates. I think I will also try use of minimal template according to posted guide.
If you’re going this route, maybe also read up on this thread