How to verify Unman's template

kzlz · March 25, 2023, 10:09am

I donwloaded unman’s template. Before I copy it to dom0. I want to sure the template is ok.
I downloaded unman’s public key.

unman · March 25, 2023, 2:57pm

TLDR -
rpmkeys --import PATH_TO_KEY
rpm -K PATH_TO_PACKAGE
If all is well, you will see “digests signatures ok”

Verifying a package

How do you verify any package?

In Fedora, you can see which key signed a package using rpm -qi PATH_TO_PACKAGE
For example if you have downloaded an rpm package to Downloads, and
you are in /home/user, you can run rpm -qi ./Downloads/PACKAGE_NAME

In the output the Signature line shows you the signing key ID - for
packages signed by me this may look like this:
Signature : RSA/SHA512, Tue 21 Feb 2023 10:56:59 UTC, Key ID fdd1b8244731b36c

If you have my PGP key, and have assured yourself that it is the right
key, import it, and then check the ID:

gpg --import unman.key
gpg --edit-key unman

The output should look like this:

pub  rsa4096/8B3F30F9C8C0C2EF
     created: 2016-06-25  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/6233CD8FA59A87A8
     created: 2016-06-25  expires: never       usage: E   
sub  rsa4096/FDD1B8244731B36C
     created: 2016-06-27  expires: 2024-06-30  usage: S   
[ unknown] (1). unman (Qubes OS signing key) <unman@thirdeyesecurity.org>

So the package is signed by the sub key - sub rsa4096/FDD1B8244731B36C

Checking a rpm with rpm -K

You can import the key in to the rpm keyring- rpmkeys --import PATH_TO_KEY,
and check the package using rpm -K PATH_TO_PACKAGE
This will check the digests of the package and that it is signed by a
known key.

Now you should feel pretty confident that this package is as built and
is signed by my key, and can copy the package in to dom0.
You can go through the same process after copying my key and the package
in to dom0. (In fact, you probably should do so.)

Copying a package in to dom0

This is covered here
If you have downloaded PACK.rpm to Downloads in a qube called disp9999,
in dom0 run
qvm-run -p disp9999 'cat Downloads/PACK.rpm' > PACK.rpm

Installing a downloaded template

To install in dom0, copy my key in to /etc/qubes/repo-templates/keys.
Install the package with qvm-template --keyring /etc/qubes/repo-templates/keys/KEY_NAME install PATH_TO_TEMPLATE_PACKAGE
replacing KEY_NAME with whatever name you gave my key and PATH_TO_TEMPLATE_PACKAGE with the actual path to the package.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

Rel4967 · April 3, 2024, 4:30am

Thanks, the guide at Index of /Templates_4.1 had the wrong command with “qvm-template install --keyring /etc/pki/rpm-gpg/RPM-GPG-KEY-unman FULL_PATH_TO_DOWNLOADED_TEMPLATE”. Changing the install position fixed it.

unman · April 3, 2024, 10:36am

Thanks. I’d fixed that in the Templates page, but missed that.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

Rel4967 · April 4, 2024, 6:14am

No problem! And thank you so much for your templates! Without you QubesOS would be so much more frustrating to work with so I appreciate it at lot!