Flatseal sandboxing vs Template install?

I loathe all of these methods that don’t simply work with apt-install. Hoop jumping for no benefit.

Unfortunately both veracrypt and brave require this crap.

1 Like

Worse yet, security posture cordyceps! Leave such things to Señor Aitel.

I don’t know if it’s flatpack but there’s that one where you have to do wget and curl because there’s some “key” you can’t work without connecting your template directly to the internet. A pox on that.

I always find it extremely odd/frustrating that Qubes team as yet to address to ability to gpg --recv-keys when preparing TemplateVMs (I understand the issue is with gpg wanting to DNS) thus, leaving: A) “dirty” fetch + verify post install or B) manually including the key.

Leveraging split-gpg for TemplateVMs feels too excessive. Is that even a “thing”?

You can install Brave with apt, you just need to add the repo to the template.

Aaah, that’s good to know, thanks!

I can tolerate Vercrypt not being up-to-the-minute because I run it offline.

1 Like

@Emily same thing … this is Qubes OS specific and should go to General Discussion. Any reason you posted here?

I provided a simple solution some years back which leverages the proxy.
You may find this too dirty for your taste.

The advantage of salting templates is that you can provide any needed
keys as part of the package install from a trusted source.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

Thanks for pointing this out, much appreciated!

I definitely :+1: it better than the other options listed above and, I’d certainly :heart: it if it were available as a package in the qubes repo.

I’m fully aware of how over the top this would be for such a simple script but, it’s a long night/day & I just don’t see the smoothest workflow (manually adding it to the most commonly used TemplateVMs?).

What am I thinking!?!? This fits the bill 100% for the salted projects I’ve shared. :hugs:

As always, much gratitude for you @unman !

@renehoj

When I try to look up how to do this I get nothing but crap having to do with “curl” and gpg key donkey derbies.

Like here: Installing Brave on Linux | Brave Browser

The Flatseal/Flatpak discussion seemed to encompass more than just Qubes. Please move it if you feel its mis-categorized.

You just need to add --proxy localhost 8082 to the curl command.

2 Likes

@SteveC here’s a bash snippet to install brave-browser on a debian-based distro:

install_brave.sh
#!/bin/bash
apt update && apt upgrade -y
cd /tmp
export https_proxy=127.0.0.1:8082
curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg arch=amd64] https://brave-browser-apt-release.s3.brave.com/ stable main"| tee /etc/apt/sources.list.d/brave-browser-release.list
apt update && apt install -y brave-browser
2 Likes

This worked well…once I got rid of the cacher (which was painful but anyhow…).

Thank you. Once I had it working, I was able to figure out how to do it with the cacher in place.

In order to use the cacher:

#!/bin/bash
apt update && apt upgrade -y
cd /tmp
export https_proxy=127.0.0.1:8082
curl --proxy 127.0.0.1:8082 http://HTTPS///brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg --output /usr/share/keyrings/brave-browser-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg arch=amd64] http://HTTPS///brave-browser-apt-release.s3.brave.com/ stable main"| tee /etc/apt/sources.list.d/brave-browser-release.list
apt update && apt install -y brave-browser

I don’t know why the curl command needed rearranging as well as the HTTPS stuff, I just know it did. Fortunately this…

How to curl with an active apt-cacher configuration - User Support - Qubes OS Forum (qubes-os.org)

…was here to help me figure that out.

[edit to add: I’m not even sure the export line is needed.]

3 Likes

Nice.
Do you have similar scripts for Veracrypt and/or Opera?

Yes.

Moved to General Discussion

You don’t need a script, all it does it add --proxy 127.0.0.1:8082 to curl.

If you need to download files in a template, you can use the update proxy on localhost:8082.

https://www.qubes-os.org/doc/how-to-install-software/#updates-proxy

1 Like

2 posts were split to a new topic: Sync qubes and remain offline? (thru update proxy?)