Veracrypt install script for minimal templates

Anyone have an install script that install all the dependencies and such inside a minimal template?

That depends on what it is you’re trying to solve.

If you’re trying to get the GUI version, it is at least hosted on a repository–but it’s a third party repository. I decided that even though I could just do an apt install on it, I didn’t trust it.

The main veracrypt site will let you download .deb (and presumably fedora) packages for both the GUI and console, but then you have to “manually” install them from the files. Even there, though, you can tell apt to get it done and pull in all dependencies. (I again don’t know how that works on Fedora.) Or alternatively use dpkg, but that will require you to manually install dependencies first. (By manually, of course, I mean having to actually enter the commands, one by one, for the dependencies–the sort of crap apt-get was written to get around having to do.)

I’ve gone through a few iterations of this with salt (which I could translate into a bash script for debian); I’m not completely happy with any of the solutions for reasons that reduce to either 1) No repository or 2) Only a third party repository.

Ya, I remember doing all this last time. This go around, I’m getting dependency problems…I was hoping someone had a script handy that installed all the dependencies, and did a proxy wget direct from veracrypt.fr.

Edit: I ended up installing the hard way, the dependencies manually. At some point I’ll script it if someone else hasn’t already.

I can’t tell for sure from this, but it looks like this covers only the GUI version of veracrypt. It does look like a different third party though (mine was “notesalexp”), so thanks for the information.

I use the GUI version in some contexts, and the command-line (console) version in others (i.e., in automated scripts). In that latter case, I have to download the package and install from it, in the former, something like what you present here is an option but I already have the download of the GUI deb package anyway, so I use it. (My salt file for installing the GUI version is set up to use either method according to a flag I set.)

Incidentally, I was doing something very slightly different–the curl command includes the proxy as a parameter so the export is unnecessary.

[BTW I’ve only recently started doing wget/curl with certain things, I’m a n00b in that regard.]

I noticed though that after a recent update distributed through qubesOS, one of my machines required me to “allow-downgrades” while the other one did not, in order to install veracrypt (the gui, not the console). I’m not at all sure why that was necessary only in one of two places. But apparently some package Veracrypt depends on got updated and the Veracrypt package flagged that as an incompatible version. (I don’t recall the name of that upgraded package unfortunately).

Sigh… aside from your launchpad.net dependency.
If you’re a-team, you’d redo it to download direct from the source, verify the sigs and hashes, then install.

@Emily - you don’t need me to tell you that this was unnecessarily
snarky.
You were offered a reasonable response to your question.
Please treat it as such.

If you know how to improve it to suit your needs,post the improved
version.
If you don’t know how to improve it, simply say, “Thanks but I would like
to avoid launchpad and use the source”.

Either of these will be helpful to other users, and set a good tone in
the forum.
Your response does not.

The Law of Correspondence in action.

A 3rd party might be tolerable for mission critical software, if the sigs and hashes were verified from the source. Without that, it could be anything you’re installing.

Title reflects the desired outcome in as few words as possible.
I would imagine it would go without saying that Veracrypt and any/all security software must be verified from the source before it could ever be trusted. But next time I’ll be sure to include any and all possible qualifiers.

How about this…

#!/bin/bash
# Verifies and installs Veracrypt console
# credit: https://forum.qubes-os.org/u/cayce 
# ref: https://forum.qubes-os.org/t/veracrypt-install-script-for-minimal-templates/17566/5

apt install -y qubes-core-agent-networking curl
export https_proxy=127.0.0.1:8082

curl -sSLo /tmp/veracrypt.deb https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-console-1.25.9-Debian-11-amd64.deb

# Verify hash
expected_hash="4c64cd7212a93ad80ffe216d4ac9520703b206d105cbf56b485c6f2bc231ee2e"
actual_hash=$(sha256sum /tmp/veracrypt.deb | awk '{print $1}')

if [ "$actual_hash" != "$expected_hash" ]; then 
    echo "WARNING: File hash check failed. Killing install."
    exit 1
fi
# to do:  Add sig verification.
apt install -y /tmp/veracrypt.deb

…but for some reason the proxy is failing.

Edit: Adding sudo seemed to fix the proxy issue.

#!/bin/bash
# Verifies and installs Veracrypt console
# credit: https://forum.qubes-os.org/u/cayce 
# ref: https://forum.qubes-os.org/t/veracrypt-install-script-for-minimal-templates/17566/5

sudo apt install -y qubes-core-agent-networking curl
export https_proxy=127.0.0.1:8082

sudo curl -sSLo /tmp/veracrypt.deb https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-console-1.25.9-Debian-11-amd64.deb

# Verify hash
expected_hash="4c64cd7212a93ad80ffe216d4ac9520703b206d105cbf56b485c6f2bc231ee2e"
actual_hash=$(sha256sum /tmp/veracrypt.deb | awk '{print $1}')

if [ "$actual_hash" != "$expected_hash" ]; then 
    echo "WARNING: File hash check failed. Killing install."
    exit 1
fi
# to do:  Add sig verification.
sudo apt install -y /tmp/veracrypt.deb

? non-sequitor

Are your referring to your orginal work or my fork?
And if the later, what is “incorrect” about it?
And I really do ask that with sincerity…cause I don’t let my ego get in the way of learning.

P.S. Thanks for the script @SteveC. Please post it so I can credit the solution to you.

Specifically what was “mangled/neutered”?

The only scripts I received were the ones you posted in this thread.

I always appreciate accurate and useful criticism. But your solution wasn’t a solution without hash and sig checks. If it had that, I’d more than consider it a solution and credit you for it.

And a nice script it is. One that I believe you said @SteveC sent you in a DM. If that’s not the case, I’ll more than happily credit you with the solution.