How to verify Unman's template

kzlz · March 25, 2023, 10:09am

I donwloaded unman’s template. Before I copy it to dom0. I want to sure the template is ok.
I downloaded unman’s public key.

unman · March 25, 2023, 2:57pm

TLDR -
rpmkeys --import PATH_TO_KEY
rpm -K PATH_TO_PACKAGE
If all is well, you will see “digests signatures ok”

Verifying a package

How do you verify any package?

In Fedora, you can see which key signed a package using rpm -qi PATH_TO_PACKAGE
For example if you have downloaded an rpm package to Downloads, and
you are in /home/user, you can run rpm -qi ./Downloads/PACKAGE_NAME

In the output the Signature line shows you the signing key ID - for
packages signed by me this may look like this:
Signature : RSA/SHA512, Tue 21 Feb 2023 10:56:59 UTC, Key ID fdd1b8244731b36c

If you have my PGP key, and have assured yourself that it is the right
key, import it, and then check the ID:

gpg --import unman.key
gpg --edit-key unman

The output should look like this:

pub  rsa4096/8B3F30F9C8C0C2EF
     created: 2016-06-25  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/6233CD8FA59A87A8
     created: 2016-06-25  expires: never       usage: E   
sub  rsa4096/FDD1B8244731B36C
     created: 2016-06-27  expires: 2024-06-30  usage: S   
[ unknown] (1). unman (Qubes OS signing key) <unman@thirdeyesecurity.org>

So the package is signed by the sub key - sub rsa4096/FDD1B8244731B36C

Checking a rpm with rpm -K

You can import the key in to the rpm keyring- rpmkeys --import PATH_TO_KEY,
and check the package using rpm -K PATH_TO_PACKAGE
This will check the digests of the package and that it is signed by a
known key.

Now you should feel pretty confident that this package is as built and
is signed by my key, and can copy the package in to dom0.
You can go through the same process after copying my key and the package
in to dom0. (In fact, you probably should do so.)

Copying a package in to dom0

This is covered here
If you have downloaded PACK.rpm to Downloads in a qube called disp9999,
in dom0 run
qvm-run -p disp9999 'cat Downloads/PACK.rpm' > PACK.rpm

Installing a downloaded template

To install in dom0, copy my key in to /etc/qubes/repo-templates/keys.
Install the package with qvm-template --keyring /etc/qubes/repo-templates/keys/KEY_NAME install PATH_TO_TEMPLATE_PACKAGE
replacing KEY_NAME with whatever name you gave my key and PATH_TO_TEMPLATE_PACKAGE with the actual path to the package.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

Rel4967 · April 3, 2024, 4:30am

Thanks, the guide at Index of /Templates_4.1 had the wrong command with “qvm-template install --keyring /etc/pki/rpm-gpg/RPM-GPG-KEY-unman FULL_PATH_TO_DOWNLOADED_TEMPLATE”. Changing the install position fixed it.

unman · April 3, 2024, 10:36am

Thanks. I’d fixed that in the Templates page, but missed that.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

Rel4967 · April 4, 2024, 6:14am

No problem! And thank you so much for your templates! Without you QubesOS would be so much more frustrating to work with so I appreciate it at lot!

harr · April 1, 2026, 4:47pm

probably a silly question but how do you get a copy of the key to use the templates?

parulin · April 1, 2026, 5:14pm

harr · April 1, 2026, 5:25pm

i see the key on qubes.3isec.org but im confused how to make use of it in text form i guess…the key concept eludes me so im lost on how to procede. the rest of the guide seems straightforward i think but getting started involes the key stuff.

parulin · April 1, 2026, 5:44pm

Alright, you need to look how “GPG” (or “PGP”) works. You can take a look at the Qubes OS documentation as an example:

harr · April 1, 2026, 6:02pm

welp, this is probably really really helpful…I have never been so confused lol. i have a signiture now as a .asc file. everytime i try the gpg commands it pretends its not there. qubes is truly humbling

unman · April 1, 2026, 11:38pm

I cant help because you dont say what gpg commands you are trying to
use.

If you have downloaded the key, you can check the fingerprint matches
that on the website, or on GitHub, or on the mailing list. The
instruction to do this is on qubes.3isec.org-
gpg -n --import --import-options import-show KEY_YOU_DOWNLOADED

When you are satisfied, copy the key to dom0, and move it in to place.
This is explained at https://qubes.3isec.org/Templates/

Once you have the signing key you can use it to validate template
packages, as explained on that page. If you cant follow the
instructions, let me know what is unclear or what is failing.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

harr · April 2, 2026, 3:20pm

when trying to move the key to dom0 using `qvm-template --keyring /etc/qubes/repo-templates/keys/RPM-GPG-KEY-unman install FULL_PATH_TO_DOWNLOADED_TEMPLATE’ and for the path i use /home/tbed/kali-core

feel like im missing something simple

harr · April 2, 2026, 5:22pm

it just keeps saying it cannot find the template file but that sucker is there.

harr · April 2, 2026, 6:04pm

tried the other way too, making the file and using the template gui. fails the template search everytime…

parulin · April 3, 2026, 6:24am

Are you sure that the file FULL_PATH_TO_DOWNLOADED_TEMPLATE is a correct rpm file?

If you don’t provide the error messages, we can’t help you.

harr · April 3, 2026, 10:57am

what you just said clicked it for me…i moved the template file to dom0 but didnt mark it as an rpm file…like an idiot. its all working now. sorry for the bother