"make qubes-dom0" fails with "Package is not signed"

Following the build instructions at Qubes ISO Building | Qubes OS the build fails with:

Downloading Packages:
[SKIPPED] perl-Fedora-VSP-0.001-4.fc25.noarch.rpm: Already downloaded
[SKIPPED] perl-generators-1.10-1.fc25.noarch.rpm: Already downloaded
Package rpm-devel-4.14.2.1-5.fc25.x86_64.rpm is not signed

If I understand correctly we just built this package, it does not seem anormal to find it unsigned, what do I miss ?

Hi @yann.

The qubes-devel mailing list may be a better venue for asking development-delated questions.

1 Like

5 posts were split to a new topic: Issue Subscribing to qubes-devel Mailing List

Due to QSB-067 (1), RPMs can no longer be installed if they are not signed. While this is good for updating your templates and dom0, the side effect is this carries into Qubes Builder: when building an RPM-based template/dom0, the built packages must be signed (2).

Personally, I’ve removed the signing restriction in my builder AppVM but I’m sure the Qubes OS team would not recommend this. The threat [that I choose to discard] is an attacker compromising my Qubes Builder AppVM to the point an RPM package is built maliciously is or is maliciously modified between build and installation within the chroot. My interpretation of QSB-067 is that it is primarily meant for RPMs that come from remote sources.

It can surely be argued that once the qubes-building account is compromised, the game is over whether package signing is enabled or not. It does look like package signing at this point does not add much security if at all.

QBS-067 mitigation though seems to imply the packages still have to be signed for their installation to be accepted. Not sure yet what the right balance would look like.