cd /etc/apt/sources.list.d/
nano kali.list
Old, repos included with template (DO NOT USE).
# deb http://http.kali.org/kali kali-rolling main non-free contrib
New Repos:
deb https://kali.download/kali kali-rolling main non-free contrib
I used kali.download as kali.org was extremely slow for me.
Thank you for your reply. I was and still am a little concerned about the errors I was getting “Payload forged!” and “…rpm.UNTRUSTED”, but I retried the initial install command several times and it eventually completed the template download. I was able to fix the subsequent dom0 small pool issue with the command suggested here by fepitre: sudo journalctl --vacuum-time=1d
…rpm.UTRUSTED is a temporary name of downloaded rpm package. It is first downloaded with that name, then SHA is calculated and checked. If it is ok it is then renamed to the same name without .UNTRUSTED postfix and installation begins. This is the “Qubes way” of downloading the packages. So that what You se is IMO corruption during download. Then checksum not match, yo see message “Payload forged!” and installation not start.
Installation breaks after 10 seconds of file check with “Error: Signature verification failed: -: digests SIGNATURES NOT OK”
unman.pub is your certificate, which I installed before, but looks like I didn’t oversee all, cause I get an error in the end, but very quick after the install command. It’s just checking the 3,xx GB rpm and then stops. File should be okay, must be a wrong setting of the certificate I assume.
I have read through every forum post I could find on the kali template, but I am left with a couple questions still:
Is it “recommended” to use the one from the community repos that fepitre posted here originally, installing through more official methodology in dom0, or is using the one unman so graciously built and hosts elsewhere just as reasonable? It sounds to me from my reading that unman’s version is handling updates better due to locking qubes-specific files?
Also, if the template does act as a "rolling"release, and I install the community template from the repos, will I ever need to dump it and install a newer one once bookworm is stable? Or will it just “roll” into the new debian base?
Just trying not to break my qubes setup because I am still not yet proficient in fixing it if I do…
short story: unman’s version based on bookworm // communities’ based on bulleye…
in long, I had the same question for 1)
unman just replied that his version simply is the new one (based on latest Debian) and the community one still is the “bulleye” one.
And this means for 2)
you always have to start from scratch, if you have a version running. So if you have the community one, you always will stuck in bulleye (unless there’s a new community one outside) and if you have unmans kali template installed you’re sticking in bookworm with every future update unless unman comes up with another new release/template.
Not strictly true - you could do a standard apt full-upgrade to get from bookworm to
trixie, when bookworm becomes stable. The qubes packages should still
work for a while until testing diverges more and more from stable.
(You could do the same for the bullseye community template. I haven’t
tried it: at some point I suspect that the divergence of packages would
be too much to overcome, but maybe not.)
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
@fepitre Has there been more movement with getting this template built into the community repository on Bookworm?
I want to install a bookworm template on my setup anyway, and so I figure I will try to use this when it is ready, or use unman’s version which is on bookworm. But I would prefer to install from the community repo just because I feel more comfortable running the single commmand to do it than manually installing from the image. Maybe it’s easier than i think…
Ironically I already downloaded unman’s and made the size adjustments to dom0, checked the signature, and all that, so I can go forward with that if needed. Although, I don’t actually know the command to install it from the file image as opposed to the repository. Is it similar?
lol, I guess I half-expected that, but didn’t want to try without confirming, just in case I was being ignorant. I also half expected that there would be some difference because dom0 would need to be informed there was a new TemplateVM as opposed to an arbitrary package installed. How does it know? I guess the answer must be in the RPM itself the instructions are integrated?