Can we use QMSK to verify template VM and Qubes update?

We use QMSK and release signing key to verify each Qubes release.
Are there any way to verify:

  • the installed template VM before installing ?
  • each Qubes update ?

either by using QMSK & release signing key or other verification method

This is done automatically.
Every Qubes package (including templates) is signed, and the signature
is checked before installation.

If you want to manually check the signature on an rpm package that
you have downloaded in dom0 or in a qubes, you can do this easily
enough.
sudo qubes-dom0-update --action=download RPM in dom0 will download the
package without installing it.
In a qube, simply dnf --downloadonly --downloaddir=PATH install RPM
will do it.
Then rpm -qi RPM will show you information about the package,
including the key used to sign it.

Official packages for Qubes 4.* will be signed with the Qubes OS Release 4
Signing Key: 0x1848792f9e2795e9

1 Like

it gives me error “no such command:download”
then i try, sudo qubes-dom0-update --action=downloadonly RPM
the same error “no such command:downloadonly”

so, maybe the action name is wrong ?

You may try

sudo qubes-dom0-update --downloadonly package-you-like

i try “sudo qubes-dom0-update --downloadonly rpm”
then it download into the cache, but i couldn’t find the cache folder,
how to access the rpm in the cache so that we can verify its signature ?

there is hidden folder .cache, but cannot find the rpm inside.

also, “sudo qubes-dom0-update” gives me more rpm then the --downloadonly,
hmm, anyone know why ? @enmus @unman

It’s in /var/lib/qubes/updates/rpm.

1 Like

ok, i found a lot of rpm in the folder.

so, can we assume that, when we run Qubes launch updater for dom0,
it will download all rpm, related to dom0 update, into /var/lib/qubes/updates/rpm,
then it will install each rpm into the system ?

Once qubes-receive-updates finished unpacking and verifying the updates, the updates are placed in qubes-receive-updates directory in Dom0 filesystem. Those updates are now trusted. Dom0 is configured (see /etc/yum.conf in Dom0) to use this directory as a default (and only) yum repository.

You can read more about it here:

1 Like

ok, dom0 secure update,
in short, the updater will download, extract and verify the digital signature,
then store the rpm in the qubes-receive-updates directory,
and all are done automatically,

then, we can find all related directory in:
/etc/yum.conf, /etc/yum.real.repos.d, /etc/yum.repos.d, and /var/lib/qubes/updates

can verify each rpm in the /var/lib/qubes/updates,
by rpm -qi rpm_name and compare with release signing key

how about the template update,
Qubes launch updater will also launch update for each template,
is there rpm update directory, just as in dom0 for each template ?
can we use the Qubes release signing key to verify it ?
@tzwcfq @unman @enmus

In case of dom0 the updates are first downloaded in UpdateVM and then they are moved securely to dom0.
In case of template there is proxy in your UpdateVM running and template connect to this proxy over qrexec to update the template in a standard way using dnf/apt.

Yes, it’s a standard cache directory for package managers. For example in debian it’s:
/var/cache/apt/archives/

1 Like

I will try to conclude:

  • verification for dom0 update are done automatically

  • Official packages for Qubes 4.* will be signed with the Qubes OS Release 4
    Signing Key: 0x1848792f9e2795e9

  • for dom0 update, first, the packaged are downloaded in updateVM, then moved securely to dom0, then automatically verified, we can see the downloaded package in dom0 /var/lib/qubes/updates , reference: dom0 secure updates

  • we can manual verify each rpm in the /var/lib/qubes/updates by running rpm -qi rpm_name, then verify with the release signing key

  • for template VM update, template VM connect to proxy in update VM over qrexec, then update template in standard way using dnf/apt

  • for template VM update, standard cache directory for package managers may vary, depend on the OS of the template, ie, in debian is /var/cache/apt/archives

maybe, we cannot use Qubes release signing key, to verify packages, related to template VM update, because they are related to template VM OS.

Additional: how to verify the md5sum of iso in the CD/DVD , ref: cdrommd5sumafterburning

  • use Disks application to know the exact bytes of the iso
  • dd if=/dev/cdrom | head -c 682575872 | md5sum