Giving network access to template vms

pygmalion · February 16, 2026, 7:08am

Hello, I just started using qubesos,

I was wondering if it was a good idea to give network access to the template vms, I did that because I wanted to install third party apps like signal and vscodium via the official method.

for example the official download instructions for signal:

# 1. Install our official public software signing key:
wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg;
cat signal-desktop-keyring.gpg | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null

# 2. Add our repository to your list of repositories:
wget -O signal-desktop.sources https://updates.signal.org/static/desktop/apt/signal-desktop.sources;
cat signal-desktop.sources | sudo tee /etc/apt/sources.list.d/signal-desktop.sources > /dev/null

# 3. Update your package database and install Signal:
sudo apt update && sudo apt install signal-desktop

these do not work on the debian-13-xfce template vm, please let me know if there was a better way to do this other than setting the netvm for the template vm to sys-firewall (there are other apps I want to install that install in a similar way issue not specific to signal)

KitsuneNoBaka · February 16, 2026, 7:54am

Giving network access to template is a security breach.
If you want to install apps read installation software docs, Using the updates proxy specifically:

TheGardner · February 16, 2026, 9:59am

Software installs always via Terminal in the Templates (without any network access) the install functions always know, how to get the software/tools via the plugged in proxy settings…

Do NOT use qubes for your daily work, until you know, how things work and you feel save. Until that - use Tails for the time being !!!

parulin · February 16, 2026, 12:43pm

@pygmalion If you don’t want to learn how templates and app qubes work right now, use standalones instead. That way you can learn things at your own pace.

murdock · February 16, 2026, 2:04pm

Hi @pygmalion ,
for that process, you can use a two step process:

First, download the relevant files in a VM (not in template).

cd ~/Downloads <ret>
wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg <ret>
wget -O signal-desktop.sources https://updates.signal.org/static/desktop/apt/signal-desktop.sources <ret>

Then copy that two files over to your template VM
(On Thunar desktop) click with right mouse button to each of the two files in Downloads-Folder and choose , chose as target your template VM
Then open a terminal in your template VM

cd ~/QubesIncoming/<NAME_OF_YOUR_APP_VM>
sudo chown root:root signal-desktop-keyring.gpg
sudo mv signal-desktop-keyring.gpg /usr/share/keyrings/

sudo chown root:root signal-desktop.sources
sudo mv signal-desktop.sources /etc/apt/sources.list.d/

sudo apt update && sudo apt install signal-desktop

The commands looks like they was for debian, if your template vm is a fedora, then the places, where the files must be copied to and the installation command are slightly different (dnf instead of apt)

GWeck · February 16, 2026, 4:41pm

While this works well for Linux-based templates, I am still looking for a way to tell Windows-based templates to use the update proxy, because connecting them directly to the internet paves the way for disaster.

solene · February 16, 2026, 5:01pm

connectTCP isn’t available on windows qubes?

GWeck · February 16, 2026, 5:18pm

No idea - Windows networking is, for me, a black, convoluted box.