Qusal install and update guide.
You current setup needs to fulfill the following requisites:
- Qubes OS R4.2
- Internet connection
It is recommended to use separate qube from your normal operations as this installation will eventually be copied to dom0. Apart from that, it is also recommended to use a separate qube for fetching the signing keys, different from the one acquiring Qusal. The separate qubes should be DispVM, but AppVM or StandaloneVM will also work.
-
Install
git
in the qube, if it is an AppVM, install it it's the TemplateVM and restart the AppVM. -
Clone the repository (if you made a fork, fork the submodule(s) before clone and use your remote repository instead, the submodules will also be from your fork).
git clone --recurse-submodules https://github.com/ben-grande/qusal.git ~/qusal
-
Copy the maintainer's signing key to your text editor and save to the file
/home/user/ben-code.asc
.
Before copying anything to Dom0, read Qubes OS warning about consequences of this procedure.
-
Copy the repository
$file
from the DomU$qube
to Dom0 (substituteCHANGEME
for the desired valued):qube="CHANGEME" # qube name where you downloaded the repository file="CHANGEME" # path to the repository in the qube mkdir -p -- ~/QubesIncoming/"${qube}" qvm-run --no-gui --pass-io -- "${qube}" "tar -cf - -C ~ qusal" | tar -xf - -C ~/QubesIncoming/"${qube}"
-
Pass the maintainer's key from the qube to Dom0:
qvm-run --no-gui --pass-io -- "${qube}" "cat -- /home/user/ben-code.asc" | tee -- /tmp/ben-code.asc >/dev/null
-
Verify that the key fingerprint matches
DF38 3487 5B65 7587 13D9 2E91 A475 969D E4E3 71E3
. You can use Sequoia-PGP or GnuPG for the fingerprint verification:gpg --show-keys /tmp/ben-code.asc # or #sq inspect ben-code.asc
-
Import the verified key to your keyring:
gpg --import /tmp/ben-code.asc
-
Enter the repository:
cd ~/QubesIncoming/"${qube}"/qusal
-
Verify the commit or tag signature and expect a good signature, be surprised otherwise:
git verify-commit HEAD
In case the commit verification failed, you can try to verify if any tag pointing at that commit succeeds:
tag_list="$(git tag --points-at=HEAD)" verified=0 for tag in ${tag_list}; do if git verify-tag "${tag}" verified=1 break fi done if test "${verified}" = "0"; then printf '%s\n' "Failed to verify qusal" >&2 false fi
-
Copy the project to the Salt directories:
~/QubesIncoming/"${qube}"/qusal/scripts/setup.sh
To update, you can copy the repository again to dom0 as instructed in the installation section above or you can use easier methods demonstrated below.
Update the repository state in your DomU:
git -C ~/src/qusal fetch --recurse-submodules
This method is more secure than literally copying the whole directory of the repository to dom0 but the setup is more involved. Requires some familiarity with the sys-git formula.
-
Install the sys-git formula and push the repository to the git server.
-
Install
git
on Dom0, allow the Qrexec protocol to work in submodules and clone the repository to~/src/qusal
(only has to be run once):mkdir -p ~/src sudo qubesctl state.apply sys-git.install-client git clone --recurse-submodules qrexec://@default/qusal.git ~/src/qusal
-
Next updates will be pulling instead of cloning:
git -C ~/src/qusal pull --recurse-submodules git -C ~/src/qusal submodule update --merge
-
Verify the commit or tag signature as shown in Dom0 Installation.
-
Copy the project to the Salt directories:
~/src/qusal/scripts/setup.sh
This method is similar to the installation method, but easier to type. This
method is less secure than Git over Qrexec because it copies the whole
repository, including the .git
directory which holds files that are not
tracked by git. It would be easier to distrust the downloader qube if the
project had a signed archive. The .git/info/exclude
can exclude modified
files from being tracked and signature verification won't catch it.
-
Install the helpers scripts and git on Dom0 (only has to be run once):
sudo qubesctl state.apply dom0.install-helpers sudo qubes-dom0-update git
-
Copy the repository
$file
from the DomU$qube
to Dom0 (substituteCHANGEME
for the desired valued):qube="CHANGEME" # qube name where you downloaded the repository file="CHANGEME" # path to the repository in the qube rm -rf ~/QubesIncoming/"${qube}"/qusal UPDATES_MAX_FILES=50000 qvm-copy-to-dom0 "${qube}" "${file}"
-
Verify the commit or tag signature as shown in Dom0 Installation.
-
Copy the project to the Salt directories:
~/QubesIncoming/"${qube}"/qusal/scripts/setup.sh
Template upgrade refers to template major releases upgrade.
As we use Salt, doing clean installs are easy. Unfortunately QubesOS does not provided a CLI program to rename qubes.
- Open
Qube Manager
, select the template you want to upgrade and rename it adding the suffix-old
. TheQube Manager
will change thetemplate
preference of qubes based on the chosen template. - Rerun the formulas that targeted the chosen template.
- If the formula fails, use
Qubes Template Switcher
to set the-old
template to be used by the qubes managed by that specific formula. - Repeat for every template that needs to be upgraded.
This method is discouraged as it leads to different results compared to installing a new template. Fixes done upstream by Qubes OS to the build system of templates, such as package list, cannot be backported to old templates. In other words, in-place upgrades leads to a different environment compared to installing a new template.
One advantage of this method is when dealing with a StandaloneVM, as important data can be present in the root volume, in-place upgrades are easier for this qube class instead of doing a migration of specific folders and files to the new qube.