Parrot security and Ubuntu Focal templates

General Discussion
1

Hi

I’ve just uploaded some new pre-built templates for 4.0:
An updated Ubuntu Focal, and a fully loaded Parrot Security template.

All my templates, packages and repositories, are signed with
my Qubes Signing key - you can get this from any keyserver. You
should check this against other sources - https://qubes.3isec.org,
the Qubes-Users mailing list,
GitHub,
maybe another keyserver over Tor.

You should do something like this, in a Fedora disposableVM - make sure
you have enough space in the qube you use to download.
Download the template you want from https://qubes.3isec.org/Templates

Once you have downloaded and confirmed my “Qubes OS signing key”, add it to
your rpm keyring:
sudo rpm --import <downloaded_key>

Check the signature on the template:
rpm -K <Template_file>
If all is well you will see “digests signatures OK”

Once you are satisfied, install the Template.
To do this you will need to copy it to dom0.
In dom0, run:
qvm-run -p <disposableVM> 'cat <location of template>' > <template_name>

Then, in dom0, install:
sudo dnf install <template_name>

Enjoy

Notes on building flavors

See the following post:

8 Likes
2

Thanks!

3

Thanks a lot @unman. You can’t see them, but you’ve received 3 likes here on the forum for that post.

4

@b4xqrm7nti

  1. does the key mean that these are original releases?
    They are signed with my key.
    By installing them (after checking the key) you trust me to do the right
    thing.
    The templates are built using the standard Qubes builder, and are not
    otherwise modified.

  2. These could been edited and modified however they wanted and then uploaded here right?
    Absolutely true: no one should install them without considering the risks
    involved.
    If you want to build these (or any other template I provide), I’m happy
    to help you with that process. I strongly recommend that folk do this, so
    they can learn more about the internals of Qubes, and the build process.

I’ve been providing templates and packages for years without any issues.

1 Like
5

Thanks. I just asked earlier… But then i saw you where part of the Qubes team, so i trust you. :wink: That’s why i changed the text last time also…
I mostly wondered about it earlier, and about the key. Thanks for the answer, and templates.

6

It’s a peculiarity of mailing mode that we do not see edits to posts, so
I’m afraid your changes passed me by.
Hope the Templates are of use to you.

1 Like
7

No problems. Yeah i will try ubuntu later on. Thanks

8

Thanks @unman for the templates.
Could you provide instructions on how to build the parrot template on our build environment?

Would you also be able to share the work needed in order for bsd based installations to be built?

Also, is there an onion service where these templates are available as well?

9

Yes, to 1 and 3. bsd templates are wip.
Too late to type it up now - I’ll write up tommorrow.

10

@unman a few steps to help those rusty on their GPG CLI skills:

I got your key ID from here (Downloading that .asc file doesn’t work)

gpg --keyserver pgp.mit.edu --recv-keys 4B1F400DF25651B53C4141B38B3F30F9C8C0C2EF

Then one must export the key:

gpg --output unman-public.pgp --armor --export unman@thirdeyesecurity.org

Then import the key:

sudo rpm --import unman-public.pgp

Then this works:

11

Should be:

sudo dnf install qubes-template <template_name>
12

Finally, I’ve written up some notes on building flavors. Don’t be put
off by the length - the actual process is straightforward and much
faster to do.
I hope they are (almost) readable and clear.

Here’s how to build a Parrot template - you can adapt this to cover just
about any case which is based on an existing template.

Parrot, like Kali, is based on Debian testing - so the first thing you
need to do is make sure you can build a bullseye template.

  1. Set up the Qubes build environment, as set out here:
    Qubes Builder | Qubes OS
    If you want a configured environment there is a salt formula in GitHub - unman/shaker

  2. In qubes-builder, run ./setup
    Select 4.0
    Stable
    Git Clone Faster
    DO NOT use Pre-build Packages - select OK without having selected an option
    Build only the templates
    In the Selection list choose “buster”
    In the Plugins Selection, deselect builder-rpm and select builder-debian.
    Get-sources - select “Yes”

  3. Now edit the file that has been created - builder.conf:
    Look for the Section headed LIST OF DIST VM'S
    This is where you specify what VM will be built.
    Change the line under # Enabled DISTS_VMs that says:
    DISTS_VM += buster+standard TO
    DISTS_VM += bullseye
    Save the file

  4. make qubes-vm
    This will create a bullseye chroot, and build all the qubes packages.

  5. Once you can build the bullseye packages, you can build Parrot.
    Parrot is a “flavor” of bullseye, so you specify it like this in the builder.conf file:
    bullseye+parrot

You can change the template name in the section marked TEMPLATE CONFIGURATION
TEMPLATE_LABEL += bullseye+parrot:parrot`

Add a line:
TEMPLATE_FLAVOR_DIR += +parrot:$$$$TEMPLATE_SCRIPTS/parrot

  1. Almost all of the necessary work is done in the builder-debian directory.
    You have to identify any changes that are needed to a standard bullseye build.
    You need to set the Parrot repository.
    Add the Parrot signing key.
    Specify what packages you want to install in the template.

Put the Parrot signing key in the keys directory.
In the template_debian directory create a file packages_parrot.list and specify the packages to install - just one line will do:
parrot-tools-full
Create template_debian/parrot, and create a file 04_install_qubes_post.sh

This is the file that does the Parrot install - it runs after the standard 04_install_qubes.sh script.
You can copy an existing file and adapt it as you will.
In this case, we want to add the parrot key, update the repository list, and then run the install.
If you look at the file you will see that we use chroot_cmd to run commands in the chroot built earlier, and various helper scripts from distribution.sh

Because Bullseye is a testing distribution it may be that some updates would break the Qubes packages.
You can avoid this by marking the key packages with “hold”, so they wont
be replaced:

chroot_cmd apt-mark hold qubes-core-agent
chroot_cmd apt-mark hold qubes-core-agent-networking
chroot_cmd apt-mark hold qubes-gui-agent
  1. The only other change needed is to make sure there is enough space in the template.
    The templates are created in qubes-src/linux-template-builder/prepare_image:
if [ -z "$TEMPLATE_ROOT_SIZE" ]; then
    TEMPLATE_ROOT_SIZE=10G
fi

You can change this, or insert a new stanza like so:

if [ "$TEMPLATE_FLAVOR" == "parrot" ];then
    TEMPLATE_ROOT_SIZE=30G
fi
if [ -z "$TEMPLATE_ROOT_SIZE" ]; then
    TEMPLATE_ROOT_SIZE=10G
fi
  1. Now everything is in place.
    In qubes-builder, run make template, and new parrot template should (finally) appear in qubes-builder/qubes-src/linux-template-builder/rpm/noarch ready to copy in to dom0 and install.

The changes to builder-debian are in my “parrot” branch.
You can grab them like so:

cd qubes-src/builder-debian
git remote add unman https://github.com/unman/qubes-builder-debian.git
git fetch unman
git checkout -b parrot unman/parrot

Although this is long, it takes far longer to read than to do, and the process is simple.
You can adapt this process to build almost any flavor of template you want: any template based on an existing template.
Parrot, Kali, Mint, BlackArch.

Building a new template takes a little more work.

2 Likes
13

Great. I have appended a reference to this reply on the first post so people can easily find this. It now reads:

Hope you don’t mind @unman.

14

Of course not - anything that makes it easier to find is good.

2 Likes
15

Sir,
First thank you for the templates. I downloaded them and I renamed them and put them into there own folders as not to get them lost or confused…I am following the instructions…

install the Template.
To do this you will need to copy it to dom0.
In dom0, run:
qvm-run -p <disposableVM> 'cat <location of template>' > <template_name>

But once I hit enter I get this…
qvm-run: error: unrecognized arguments: Arch

That is what I renamed the template I download from your link…
Any help would be great.
Thank you

16

What is the command you are running? You may be missing a ' or >

17

I’ll look closer again… You might be right.
Also should I do these template installs as “root” or user?

18

qvm-run does not need to be run as root, however dnf install does need to be run with sudo in front (or otherwise as root)

19

Gotcha bro

20

Before I go any farther, just wanted everyone to know. Finally back to work and my state has lifted all Covid restrictions and man is it GREAT!!
So this is my free weekend to work on my Qubes-OS, so please try to understand, I just want it to work as best as it can…

So I am still having problems trying the install the templates “umann” was kind enough to do for us.
I am following the command to the “T”. And still can’t get the template to install