Installing Software in Qubes from .deb / .rpm

Continuing the discussion from How do I create a standalone VM?:

Please note: This is not the standard method of installing software in Qubes. Only use this when you’ve exhausted all other options, if at all.

:warning: Security disclaimers

In this guide multiple sacrifices are made for convenience. Make sure you understand their implications and proceed only if these are acceptable for your particular situation. These include:

  • Not verifying software signatures (due to their unavailability)
    When you install software in the regular way (from the repos) that is done automatically for you. However with this method you have to verify software manually. However many times this is not available, so you cannot confirm the authenticity of the software.

  • Lack of updates
    By installing software from .deb or .rpm packages manually, the applications require manual updates. It is extremely likely the user will forget to update them and thus run the risk of running software with known security vulnerabilities

But please do keep in mind that even with these security sacrifices it is still safer for you to run these programs on Qubes than running them on regular systems (regarding the isolation it can provide to other qubes).

Introduction

All I’m writing here can be found on the documentation with a bit of digging and experimentation. But I’m writing it here as I couldn’t find a consolidated guide on how to install this.

This guide is way more extensive than it would need to be, but the goal here is to be didactic. Hopefully as you follow it you end up understanding a few things that can help you use Qubes more independently.

We’ll be following the installation of the “LocalWP” proprietary software. But you can follow this with any other piece of software available for linux as a .deb or .rpm package.

1. Download software

We first go to the download page for the software, in this case Releases - Local. On the download page we should find either a .deb, an .rpm or both. Each qube can run a different operating system – some run Debian, some Fedora and others run something else. But the file you download will condition which one you have to choose (and keep this choice on the back of your mind).

  • .rpm → fedora
    If you choose a .rpm then the rest of the instructions will be done on a Fedora-based StandaloneVM

  • .deb → debian
    If you choose a .deb then the rest of the instructions will be done on a Debian-based StandaloneVM

You can download this in any of your qubes. Later you’ll move it to the qube where you’ll install it.

2. Create a StandaloneVM

We will be installing it as a StandaloneVM for convenience. You typically do it this way when you want to install some software that you will only use in one virtual machine (VM) and can’t really install via the usual methods. It is also possible to do it on TemplateVMs but that is a bit more involved – let’s leave that as homework.

To do this you click on the localwp-4 “start menu” and open the Create new qube application. Here you change the following:

  • Name: we’re calling it develop, but you can name it whatever you want
  • Type: Standalone qube copied from a template
  • Template: based on the previous step you either choose fedora or debian
  • Launch settings after creation: tick this for the next step

localwp-2

Then the qube settings window will pop up. Here we’ll increase the Private storage max. size to 20G. This is basically the size of your home folder (where you’ll keep all of your stuff). But you can always increase this later by going to the qube’s settings.

After this, hit OK.

3. Installing the software

Note: Now this part will change a bit depending on whether or not you have fedora or debian.

Firstly, copy your download to the develop qube (or the name you gave it). If you don’t know how to do this, check:

Then you open the terminal application on the develop qube and depending on your choice you go either route:

If on Fedora StandaloneVM

When you moved the file to the StandaloneVM, it landed on the folder ~/QubesIncoming/<SOME_VM>/<FILE>.rpm. So in our case we ran on the terminal:

sudo rpm --define '_pkgverify_level digest'  -i ~/QubesIncoming/disp3741/local-5.9.9-linux.rpm

:warning: Warning: the "--define '_pkgverify_level digest' " a security workaround as Qubes disabled unsigned .rpm packages. Read more on the related announcement.

Most likely it will show you some dependency errors like this:

wp-local-5

This happens because on Linux the software you install most often than not depends on other tools which need to be installed on your system first. This part will very much depend on your situation and you’ll have to figure out how to install these dependencies. In our case it told as (see above). So we installed these with:

sudo dnf install libaio ncurses-compat-libs nss-tools

And it should work out well :slight_smile:

Dependencies do not exist / will not be installed?
There is the chance this happens to you. In this case you’ll probably be wasting a lot of time looking for these. If there was a .deb as well, try repeating the process in Debian instead.

After the dependencies are installed you should be ready for installing the actual software you want. Repeat your first install command:

sudo rpm --define '_pkgverify_level digest' -i ~/QubesIncoming/disp3741/local-5.9.9-linux.rpm

This time, it should run without complaining about any dependencies. Skip the debian part by going to step 4.

If on Debian StandaloneVM

When you moved the file to the StandaloneVM, it landed on the folder ~/QubesIncoming/<SOME_VM>/<FILE>.deb. So in our case we ran on the terminal:

sudo apt install ~/QubesIncoming/disp3741/local-5.9.9-linux.deb

Note if you see some errors like the following, feel free to ignore it (see why here)
/home/user/QubesIncoming/<SOME_VM>/<FILE>.deb’ couldn’t be accessed by user ‘_aptsudo apt install``

4. Adding shortcut to start menu

Now the application should be installed but it won’t show up in the application’s menu. To add it, open the qube settings for the develop qube (the app should be named <QUBE_NAME>: Qube Settings). Then open the wp-local-6 tab.

You’ll want to add your application’s name to the right column. If you don’t see it, click on Refresh Applications button. That will take a couple of seconds but afterwards it should show up.

Still don’t see it?
If after refreshing your applications, your newly installed application doesn’t show up it might be that your .deb or .rpm didn’t include a shortcut (which sucks). If this is the case read here to try to salvage the situation.

Move you newly installed to the right column and hit OK. As you can see on the following picture, the Local application is selected.

Then you should see a shortcut for this application on your localwp-4 “start menu” under the develop qube.

For more information on this step, consult the docs.

5. You’re done! :partying_face:

Now, all you have to do is open the application!

6. Update it!

Now, because you installed it manually, whenever there is an update for this application you’ll have to remember to update it by repeating this exact process with the new version.

You’ll remember to do this, right?! :wink:

4 Likes

Feedback on this guide is welcome!

1 Like

But what if it’s still not there? What if the application is just a random script in a random folder?

Thanks. Just added a note about that:

1 Like

Awesome guide! Much appreciated.

Suggestion:
Isn’t it better to use apt/dnf instead of dpkg/rpm? They will understand the dependencies and resolve them automatically.

sudo apt install ./local-5.9.9-linux.deb
sudo dnf install ./local-5.9.9-linux.rpm

1 Like

I have never installed it this way. Have you tested it? If so, let me know.

Yes, both installations worked fine, and the application launched successfully.
Here is the installation log

debian:

user@testing:~$ sudo apt install ./local-5.9.9-linux.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'local' instead of './local-5.9.9-linux.deb'
The following additional packages will be installed:
  libncurses5 libnss3-tools libtinfo5
The following NEW packages will be installed:
  libncurses5 libnss3-tools libtinfo5 local
0 upgraded, 4 newly installed, 0 to remove and 1 not upgraded.
Need to get 1,287 kB/151 MB of archives.
After this operation, 857 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 https://deb.debian.org/debian buster/main amd64 libtinfo5 amd64 6.1+20181013-2+deb10u2 [321 kB]
Get:2 /home/user/local-5.9.9-linux.deb local amd64 5.9.9-20210215.1 [150 MB]
Get:3 https://deb.debian.org/debian buster/main amd64 libncurses5 amd64 6.1+20181013-2+deb10u2 [96.2 kB]
Get:4 https://deb.debian.org/debian buster/main amd64 libnss3-tools amd64 2:3.42.1-1+deb10u3 [870 kB]
Fetched 1,287 kB in 3s (410 kB/s)      
Selecting previously unselected package libtinfo5:amd64.
(Reading database ... 135003 files and directories currently installed.)
Preparing to unpack .../libtinfo5_6.1+20181013-2+deb10u2_amd64.deb ...
Unpacking libtinfo5:amd64 (6.1+20181013-2+deb10u2) ...
Selecting previously unselected package libncurses5:amd64.
Preparing to unpack .../libncurses5_6.1+20181013-2+deb10u2_amd64.deb ...
Unpacking libncurses5:amd64 (6.1+20181013-2+deb10u2) ...
Selecting previously unselected package libnss3-tools.
Preparing to unpack .../libnss3-tools_2%3a3.42.1-1+deb10u3_amd64.deb ...
Unpacking libnss3-tools (2:3.42.1-1+deb10u3) ...
Selecting previously unselected package local.
Preparing to unpack .../user/local-5.9.9-linux.deb ...
Unpacking local (5.9.9-20210215.1) ...
Setting up libtinfo5:amd64 (6.1+20181013-2+deb10u2) ...
Setting up libnss3-tools (2:3.42.1-1+deb10u3) ...
Setting up libncurses5:amd64 (6.1+20181013-2+deb10u2) ...
Setting up local (5.9.9-20210215.1) ...
Processing triggers for desktop-file-utils (0.23-4) ...
Processing triggers for mime-support (3.62) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for libc-bin (2.28-10) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for qubes-core-agent (4.0.61-1+deb10u1) ...
N: Download is performed unsandboxed as root as file '/home/user/local-5.9.9-linux.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
user@testing:~$ 

Fedora:

[user@disp2443 ~]$ sudo dnf install ./local-5.9.9-linux.rpm 
Last metadata expiration check: 1:48:51 ago on Fri Feb 19 11:20:47 2021.
Dependencies resolved.
================================================================================
 Package                Arch      Version                 Repository       Size
================================================================================
Installing:
 local                  x86_64    5.9.9-20210215.1        @commandline    142 M
Installing dependencies:
 ncurses-compat-libs    x86_64    6.2-3.20200222.fc33     fedora          326 k
 nss-tools              x86_64    3.60.1-1.fc33           updates         529 k

Transaction Summary
================================================================================
Install  3 Packages

Total size: 143 M
Total download size: 855 k
Installed size: 816 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): ncurses-compat-libs-6.2-3.20200222.fc33. 136 kB/s | 326 kB     00:02    
(2/2): nss-tools-3.60.1-1.fc33.x86_64.rpm       207 kB/s | 529 kB     00:02    
--------------------------------------------------------------------------------
Total                                           127 kB/s | 855 kB     00:06     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : ncurses-compat-libs-6.2-3.20200222.fc33.x86_64         1/3 
  Installing       : nss-tools-3.60.1-1.fc33.x86_64                         2/3 
  Installing       : local-5.9.9-20210215.1.x86_64                          3/3 
  Running scriptlet: local-5.9.9-20210215.1.x86_64                          3/3 
  Verifying        : nss-tools-3.60.1-1.fc33.x86_64                         1/3 
  Verifying        : ncurses-compat-libs-6.2-3.20200222.fc33.x86_64         2/3 
  Verifying        : local-5.9.9-20210215.1.x86_64                          3/3 
Notifying dom0 about installed applications

Installed:
  local-5.9.9-20210215.1.x86_64  ncurses-compat-libs-6.2-3.20200222.fc33.x86_64
  nss-tools-3.60.1-1.fc33.x86_64

Complete!
[user@disp2443 ~]$
2 Likes

Thanks for investigating. That’s pretty great! The dependencies are automatically sorted out.

But the debian one above failed.

I’ll look into this over the next days and update the guide accordingly

1 Like

The problem I’ve been having with running Local WP in App VMs are these error when I try to link my site to their server:

My Local WP was installed in a Template VM.localwp2

I see. So here the issue is very specific. For some reason that library was not present in the dependencies list. See this:

You’ll have to install the package in debian or fedora that includes the libnuma.so.1 library. I generally do this by looking up the library’s name and then the distrubution. For example libnuma.so.1 fedora.

Thanks.

That’s a pretty awesome guide! I would have liked many times to have this information. What about providing a link to it, possibly in the official documentaion in Installing and updating software in domUs ?

2 Likes

Thanks for the suggestion! I think that would be a nice idea. I think that documentation page needs a lot of improving on alternative installation methods.

But first I’ll have move this to the community documentation, probably. (or see if it’s appropriate to go on the official docs). I’ll see if I can get around to doing ths.

This is not necessarily a failure.

When executing sudo apt install [package], apt drops privileges to the _apt user while downloading the file, usually from a remote mirror.

As apt is being told to download a package within file:///home/user/…, it is unable to access as /home/user blocks all permissions except owner. It is non-fatal and only a warning.

apt is informing that it didn’t drop privileges to retrieve the file, which is typically good security practice (apt doesn’t need to be root to download a file, but it does need to be root to install it). If the package file is in a directory accessible by the user _apt, the message will go away.

2 Likes

so you are saying that the installation is successful even with said warning?

Correct, the “local” package did get installed…apt is just warning how it retrieved the package file.

Get:2 /home/user/local-5.9.9-linux.deb local amd64 5.9.9-20210215.1 [150 MB]
...
Fetched 1,287 kB in 3s (410 kB/s)      
...
Selecting previously unselected package local.
Preparing to unpack .../user/local-5.9.9-linux.deb ...
Unpacking local (5.9.9-20210215.1) ...
...
Setting up local (5.9.9-20210215.1) ...

Sorry for the delay @kommuni. Finally managed to implement your feedback on the guide.

1 Like

Thank you so much. And thanks to @icequbes1 for clarifying that complaint from apt.

1 Like

@rooftop also shared a similar answer:

1 Like

I think the latest Qubes Security Bullentin breaks this. So the guide will have to be tested / updated:

2 Likes