Fom’s giant list of Qubes OS workarounds, tweaks and shenanigans

How to get Tutanota working in a fedora-36-minimal qube

I initially spent a very long time trying to get the Tutanota flatpak working (which is officially supported, albeit reluctantly.) However try as I might I couldn’t get it to play nice with gnome-keyring. Even with seahorse and gnome-keyring-pam installed it couldn’t store both its keys in any keyring. I think this is more of an issue with the current flatpak then my setup, so I’ve been forced to fall back to the publisher-recommended AppImage instead. But the AppImage autoupdates quite nicely, so its no great loss.

Instructions

  1. Install a minimal fedora template via the official instructions: Minimal templates | Qubes OS
  2. Use “Qubes Update” and “Enable update for qubes without known available updates” to update your new minimal template.
  3. Clone/rename the minimal template using “Qube Manager”
  4. launch a root teminal for the template using “Terminal Emulator”
    qvm-run -u root [TEMPLATE NAME] xterm
  5. In the newly opened xterm terminal install gnome keyring and the qubes networking agent. (And optionally notification daemon):
    sudo dnf install gnome-keyring
    sudo dnf install qubes-core-agent-networking
    sudo dnf install notification-daemon (Only required if you want to see notifications from Tutanota)
  6. Close your terminals and shut down your template qube using “Qube Manager”
  7. Make a new AppVM qube which uses your new template using “Qube Manager”
  8. In whatever qube you use for internet browsing download the Tutanota appimage from their official website.
  9. Open your file browser, right click the downloaded appimage and use “Copy to Other AppVM” to send the appimage to the AppVM you just created.
  10. Run terminal (Xterm) in your new AppVM
  11. Running your applications from inside the “Qubes Incoming” folder strikes me as a bad idea, so move your AppImage into home
mv QubesIncoming/[VM-you-downloaded-it-in]/tutanota-desktop-linux.appimage $HOME
  1. Close your current terminal and launch a root teminal from dom0 (Termimal Emulator) for your app vm
    qvm-run -u root [APPVM-NAME] xterm
  2. Make the appimage executable
    sudo chmod +x /home/user/tutanota-desktop-linux.AppImage
  3. Close the root terminal you launched (and dom0 which launched it) then open a normal instance of xterminal in your appvm
  4. Run the app image
    ./tutanota-desktop-linux.AppImage
  5. In the “Choose password for new keyring” window that opens, leave both the password and confirm fields empty and click continue
  6. In the “Store passwords unencrypted” window click continue.
    (IMO there’s no harm in this, you have to unlock the keychain to use it even if it is unencrypted, at which point your login token would be just as vulnerable to exploits in the tutanota app as it is via the unencrypted approach. By default in qubes your entire-OS should be encrypted and be utilized by a single user, so encrypting that token is fairly pointless in our case. If you do choose to encrypt it you’ll have to unlock the keychain every first app launch in the qube session, which will suck.)
  7. In the desktop integration window tick don’t ask again for this file and click yes
  8. In “Qube Manager” open the settings for you new app qube, refresh its applications. Tutanota Desktop should now be available there.
  9. While you’re in settings consider increasing your private storage max size to accommodate your inbox.
  10. You should now be able to launch a working version of Tutanota.