Scripting package installs: Can't get proxy to work

Emily · March 24, 2023, 8:03pm

Ah, the fine little details of coding. Not my forte. A few hours at this, and I still can’t get the proxy to work, and/or the sigs to verify. Tried numerous approaches. If you can see an obvious error with my approach, please throw me a bone, cause I’m all but done trying to get this to work:

Ref:

#!/bin/bash
# Downloads, verifies, and installs Libre Office.
# Must be run as root from dom0. Pass target qube as param.

# Set variables
VERSION="7.5.1"
LINK="https://download.documentfoundation.org/libreoffice/stable/${VERSION}/deb/x86_64/"
PACKAGE="LibreOffice_${VERSION}_Linux_x86-64_deb.tar.gz"
SIGNATURE="LibreOffice_${VERSION}_Linux_x86-64_deb.tar.gz.asc"
HASH="sha256sums.asc"
TARGET_TEMPLATE=""

# Check if the qube name was passed as a parameter
if [ $# -eq 0 ]
  then
    echo "No qube name provided. Please run the script with the qube name as a parameter."
    exit 1
else
  TARGET_TEMPLATE=$1
fi

# Set the proxy
sudo qvm-run --pass-io -u root "export https_proxy=127.0.0.1:8082"


# Install deps
sudo qvm-run --pass-io -u root ${TARGET_TEMPLATE} \
  "apt update && apt upgrade -y && apt autoremove -y && apt install -y qubes-core-agent-networking curl"

# Download the package, signature, and hash
sudo qvm-run --pass-io -u root ${TARGET_TEMPLATE} "curl -O ${LINK}${PACKAGE} \
  -O ${LINK}${SIGNATURE} \
  -O ${LINK}${HASH}"

# Get the public key associated with the signature
sudo qvm-run --pass-io -u root ${TARGET_TEMPLATE} \
  "gpg --keyserver hkp://keys.gnupg.net --recv-keys AFEEAEA3"

# Import the public key associated with the signature
sudo qvm-run --pass-io -u root ${TARGET_TEMPLATE} \
  "curl https://keys.openpgp.org/vks/v1/by-fingerprint/C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3 | gpg --import"

# Verify the hash and signature
sudo qvm-run --pass-io -u root ${TARGET_TEMPLATE} "gpg --verify ${SIGNATURE}"
if [ $? -ne 0 ]
  then
    echo "Signature verification failed. Aborting installation."
    exit 1
fi
sudo qvm-run --pass-io -u root ${TARGET_TEMPLATE} "sha256sum -c ${HASH}"
if [ $? -ne 0 ]
  then
    echo "Hash verification failed. Aborting installation."
    exit 1
fi

sudo qvm-run --pass-io -u root ${TARGET_TEMPLATE} "
    tar -xzf ${PACKAGE}
    sudo qubes-dom0-uninstall libreoffice -y # remove previous version
    apt install -y libglu1 libdbus-glib-1-2 libsm6 libxrender1 libxt6 libxrandr2 libxi6
    dpkg -i LibreOffice*/DEBS/*.deb"

# Clean up
sudo qvm-run --pass-io -u root ${TARGET_TEMPLATE} "rm ${PACKAGE} ${SIGNATURE} ${HASH}"

renehoj · March 24, 2023, 8:19pm

You are exporting the proxy variable on the host running the script, and executing the curl command on a remote host, it’s not going to work.

You don’t need to use export, you add the proxy directly to the curl command.

curl --proxy http://localhost:8082/ URL

szz9pza · March 24, 2023, 8:26pm

Related topic.
https://forum.qubes-os.org/t/cant-get-proxy-to-connect-in-a-template-install-script/17602

It’s seems that human explanation doesn’t meet your expectations.
(or you don’t pay enought attention …)
I recommand a generative AI such as ChatGPT.

Emily · March 24, 2023, 8:29pm

I did try your solution.
I couldn’t get it to work on that script. Sidelined… tried another approach in the next script. Hoping to refactor the first one once I found a working solution.

I tried this before too:

sudo qvm-run --pass-io -u root ${TARGET_TEMPLATE} \
  "curl --proxy http://localhost:8082/ https://keys.openpgp.org/vks/v1/by-fingerprint/C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3 | gpg --import"

Beginning to wonder if its something related to the machine and not the code.

szz9pza · March 24, 2023, 8:49pm

According to your last reponse on the other thread, its appear you have not.

Any reason, for libreoffice, to not use apt install libreoffice ??
If you don’t trust the package manager, you shouldn’t trust the distro… ?

renehoj · March 24, 2023, 8:50pm

You can’t import that key, what is why the gpg command fails.

Emily · March 24, 2023, 8:57pm

I did. I keep getting "connection refused errors for port: 8082. Possible the ports are configured differently on this machine?

Emily · March 24, 2023, 8:58pm

I was under the impression a direct install from the source was more secure. Is this not the case?

renehoj · March 24, 2023, 9:18pm

This works for me.

sudo qvm-run --pass-io -u root VMNAME “curl --proxy http://localhost:8082/ ‘https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xc2839ecad9408fbe9531c3e9f434a1efafeeaea3’ | gpg --import”

szz9pza · March 25, 2023, 8:51am

https://www.startpage.com/do/search?q=source+vs+apt+security
https://www.startpage.com/do/search?q=source+vs+package+manager+security

You need to remove libreoffice with apt remove.

Read again your whole script. Take your time.
If you struggle with the concept that each call of qvm-run is like a new terminal session,
just use the --proxy option (as mentionned by Renehoj).

Don’t forget to paste the exact and complete error message here.
Otherwise, it’s hard to tell what happened.

edit:
Also as mentionned by Renehof:

https://www.startpage.com/do/search?q=gpg+proxy
in first result:
https://unix.stackexchange.com/questions/361213/unable-to-add-gpg-key-with-apt-key-behind-a-proxy